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Abstract 

We introduce a general framework for reasoning about secrecy and privacy require- 
ments in multiagent systems. Our definitions extend earlier definitions of secrecy and 
nondeducibility given by Shannon and Sutherland. Roughly speaking, one agent main- 
tains secrecy with respect to another if the second agent cannot rule out any possibilities 
for the behavior or state of the first agent. We show that the framework can handle prob- 
ability and nondeterminism in a clean way, is useful for reasoning about asynchronous 
systems as well as synchronous systems, and suggests generalizations of secrecy that may 
be useful for dealing with issues such as resource-bounded reasoning. We also show that a 
number of well-known attempts to characterize the absence of information flow are special 
cases of our definitions of secrecy. 



1 Introduction 

In the past two decades there have been many attempts to define what it means for a sys- 
tem to be perfectly secure, in the sense that one group of agents is unable to deduce any- 
thing at all about the behavior of another. More generally, many papers in computer sci- 
ence have, in a variety of different settings, defined properties of "secrecy" or "privacy" and 
have discussed techniques for achieving these properties. In the computer- security literature, 
early definitions of "perfect security" were based on two different intuitions. Noninterference 
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|Goguen and Meseguer 1982| attempted to capture the intuition that a classified agent is unable 
to interfere with an unclassified agent, while nondeducibility BSutherland 19861 attempted to 
capture the intuition that an unclassified agent is unable to deduce anything about the state of 
a classified agent. Others definitions have involved a notion of "information flow", and taken 
a system to be secure if it is impossible for information to flow from a classified user to an un- 
classified user. With these basic ideas in mind, definitions of security have been provided for a 
wide variety of system models, including semantic models that encode all possible input/output 
behaviors of a computing system and language-based models that deal with process algebras 
and with more traditional constructs such as imperative programming languages. (Focardi and 
Gorrieri [2001 1 provide a classification of security properties expressed using process algebras; 
Sabelfeld and Myers [20(SI| give a survey of language-based techniques.) 

Sutherland's definition of nondeducibility was based on a simple idea: a system can be 
described as a set of "worlds" that encode the local states of classified and unclassified users, 
and security is maintained if classified and unclassified states are independent in the sense that 
an unclassified user can never totally rule out any classified state based on his own local state. 
As we shall see, nondeducibility is closely related to Shannon's [ 1949| probabilistic definition 
of secrecy in the context of cryptography, which requires classified and unclassified events to 
be (probabilistically) independent. In other words, the unclassified agent's posterior probability 
of a classified event should be the same as his prior probability of that event before he began 
interacting with the system. 

Definitions of noninterference based on Goguen and Meseguer' s early work are quite dif- 
ferent in flavor from the definitions of Shannon and Sutherland. Typically, they represent the 
system as a set of input/output traces, and deem the system secure if the set of traces is closed 
under operations that add or remove classified events. Variants of this idea have been pro- 
posed to deal with issues such as verification, system composition, timing attacks, and so on. 
Although these definitions have been useful for solving a variety of technical problems, the 
complexity of some of this work has, in our view, obscured the simplicity of earlier definitions 
based on the notion of independence. While nondeducibility has been criticized for its inabil- 
ity to deal with a variety of security concerns, we claim that the basic idea captures notions of 
secrecy and privacy in an elegant and useful way. 

In this paper we define secrecy in terms of an agent's knowledge, using the "runs-and- 
sy stems" framework [Fagin, Halpem, Moses, and Vardi 1995J . Our definitions can be viewed 
as generalizing the notion of nondeducibility to systems in which agents interact with each 
other over time. 

The runs and systems framework generalizes the standard input/output trace models that 
have been used in many definitions of noninterference. The trace-based approach has been 
concerned primarily with the input and output values exchanged as a user or observer interacts 
with the system. Thus, with a trace-based approach, it is possible to define secrecy only for 
systems that can be characterized by observable input and output events. This is insufficient 
for modeling a variety of interesting systems. As Focardi and Gorrieri [2001 1 point out, for 
example, it is difficult to deal with issues such as deadlock using a purely trace-based approach. 
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It is also difficult to represent an agent's notion of time in systems that may exhibit differing 
degrees of synchrony. As we shall see, the added generality of the runs and systems approach 
lets us deal with these issues in a straightforward way. 

Many frameworks for reasoning about secrecy and information flow have assumed, often 
implicitly, a very coarse notion of uncertainty. Either an agent knows, with certainty, that some 
fact is true, or she does not; a definition of secrecy (with respect to some agent) amounts to 
a characterization of which facts the agent must not know, or which facts she must think are 
possible. Indeed, this is precisely the intuition that we make precise in Section l3^ In the liter- 
ature, such definitions are called possibilistic, because they consider only what agents consider 
possible or impossible. In practice, however, such a coarse-grained notion of uncertainty is 
simply too weak; it is easy to concoct examples where one agent has possibilistic secrecy, but 
where intuition suggests that secrecy is not maintained. We extend our definitions of secrecy to 
incorporate probability, a much more fine-grained notion of uncertainty. Just as Shannon's def- 
initions of secrecy can be viewed as a probabilistic strengthening of Sutherland's definition of 
nondeducibility, our definitions of probabilistic secrecy generalize the possibilistic definitions 
we give. In fact, there is a sense in which they are the same definitions, except with a different 
measure of uncertainty — a point made precise when we generalize to plausibilistic secrecy in 
Section |5l 

Our approach has an additional advantage: it enables us to provide syntactic characteriza- 
tions of secrecy, using a logic that includes modal operators for reasoning about knowledge and 
probability. We discuss what it means for a fact to "depend on" the state of an agent and show 
that secrecy can be characterized as the requirement that unclassified agents never know any 
fact that depends on the state of a classified agent. (In the probabilistic case, the requirement 
is that unclassified agents must think that any such fact is equally likely at all points of the 
system.) This knowledge-based characterization lets us make precise the connection between 
secrecy (of the classified agent with respect to the unclassified agent) and the notion of a "se- 
cret", i.e., a fact about the system that an agent is not allowed to know. This syntactic approach 
also opens the door to natural generalizations of information-flow properties that require se- 
crecy for only some facts, as well as allowing us to consider notions of secrecy based on more 
computational notions of knowledge, which may be more appropriate for resource-bounded 
agents. 

As we show in Section our approach provides insight into a number of other def- 
initions of secrecy, privacy, and noninterference that have been proposed in the literature. 
We illustrate this point by considering separability HMcLean 19941 . generalized noninterfer- 
ence HMcLean 19941 . nondeducibility on strategies HWittbold and Johnson 19901 . and proba- 
bilistic noninterference [Gray and Syverson 1998V One of our goals in this section, obviously, 
is to convince the reader that our definitions are in fact as general as we claim they are. More 
importantly, we hope that providing a unified framework for comparing definitions of secrecy 
will facilitate the cross-fertilization of ideas. 

The rest of the paper is organized as follows. Section |21 reviews the multiagent systems 
framework and the definition of knowledge in multiagent systems. In Section |3] we define 
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secrecy and relate it to Sutherland's notion of nondeducibility. We also consider syntactic 
definitions of secrecy using a logic of knowledge. Section H] considers probabilistic secrecy, 
while Section 15] considers plausibilistic secrecy. In Section |^ we compare our definitions with 
others that have been given in the security literature. We conclude in section IT] Most proofs 
are deferred to the appendix. 

2 Knowledge and Multiagent Systems 

A multiagent system consists of n agents, each of whom is in some local state at a given point 
in time. We assume that an agent's local state encapsulates all the information to which she 
has access. In a security setting the local state of an agent might include initial information 
regarding keys, the messages she has sent and received, and perhaps the reading of a clock. 
The basic framework makes no assumptions about the precise nature of the local state. 

We can view the whole system as being in some global state, which is a tuple consisting of 
the local state of each agent and the state of the environment, where the environment consists 
of everything relevant to the system that is not contained in the state of the agents. Thus, a 
global state has the form (sg, si, . . . , where Se is the state of the environment and Si is 
agent z's state, for i = 1, . . . , n. 

A run is a function from time to global states. Intuitively, a run is a complete description 
of what happens over time in one possible execution of the system. A point is a pair (r, m) 
consisting of a run r and a time m. For simplicity, we take time to range over the natural 
numbers. At a point (r, m), the system is in some global state r(m). If r(m) = (se, si, . . . , s„), 
then we take rj(m) to be Si, agent i's local state at the point (r, m). Formally, a system consists 
of a set of runs (or executions). Let VT(1Z) denote the points in a system IZ. 

Given a system IZ, let /Cj(r, m) be the set of points in VT(JZ) that i thinks are possible at 
(r, m), i.e., 

/Cj(r, m) = {(r',m') G VT(7V) : r-(m') = rj(m)}. 

The set /Ci(r, m) is often called an i-information set because, intuitively, it corresponds to the 
system-dependent information encoded in i's local state at the point (r, m). 

A natural question to ask is where these runs come from. While the framework itself does 
not deal with this issue, in practice, we are interested in systems where the runs are generated by 
a simple set of rules, such as a communication or security protocol, a program written in some 
programming language, or a process described in a concurrent process language. Translating 
such rules to a set of runs is not always straightforward, but doing so is often useful inasmuch 
as it forces us to think carefully about what features of the system are essential and relevant to 
the safety or correctness issues that we are interested in. This, in turn, determines the form of 
the local states. 

To reason formally about secrecy in multiagent systems, we use a logic of knowledge and 
time. Starting with a set $ of primitive propositions, we close off under negation, conjunction, 
the modal operators for i = 1, . . . , n, and • In the context of security protocols, the set $ 
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might consist of primitive propositions corresponding to facts such as "the key is n" or "agent 
A sent the message m to B'\ As usual, Ki^p means that agent i knows Lp; KiLp at a point (r, m) 
if ip is true at all points in /Cj(r, m). Finally, is true at a point (r, m) if y9 is true at some 
point on run r (either before, at, or after time m). While it is, of course, possible to define other 
temporal operators, the operator will prove particularly useful in our definitions. 

We use the standard approach [ |Fagin, Halpem, Moses, and Vardi 1993) to give semantics 
to this language. An interpreted system J consists of a pair (7^, vr), where is a system and vr 
is an interpretation for the primitive propositions in $ that assigns truth values to the primitive 
propositions at the global states. Thus, for every p G $ and global state s that arises in IZ, we 
have {tx{s)){p) G {true, false}. Of course, vr also induces an interpretation over the points in 
VT{1Z): simply take 7r(r, m) to be 7r(r(m)). We now define what it means for a formula Lp to 
be true at a point (r, m) in an interpreted system X, written (X, r, m) |= ip, by induction on the 
structure of formulas: 

• (X, r, m) 1= p iff (vr (r, m) ) (p) = true; 

• (X, r, m) \= ip> /\ ip iff (X, r, m) \= ^ and (X, r, m) |= ip; 

• (X, r, m) ^ iff (X, r, m) ^ 

• (X, r, m) 1= i^'jyj iff (X, r', m') |= (/? for all (r', m') G /Ci(r, m); 

• (X, r, m) 1= <^ iff there exists n such that (X, r, n) |= 

As usual, we say that ip is valid in X and write X \= Lpii (X, r, m) |= y9 for all points (r, m) in 
X; similarly, is satisfiable in X if (X, r, m) |= 99 for some point (r, m) in X. We abbreviate 
-^Ki^ip as PjV9. We read Piip as "(according to agent i) ip is possible". Note that (X, r, m) |= 
Pjy9 if there exists a point (r', m') G /Ci(r, m) such that (X, r', m') |= 

The systems framework lets us express in a natural way some standard assumptions about 
systems. For example, we can reason about synchronous systems, where agents always know 
the time. Formally, IZ is synchronous if, for all agents i and points (r, m) and (r',m'), if 
ri{m) = r[{m'), then m = m! . 

Another standard assumption (implicitly made in almost all systems models considered 
in the security literature) is that agents have perfect recall. Roughly speaking, an agent with 
perfect recall can reconstruct his complete local history. In synchronous systems, for example, 
an agent's local state changes with every tick of the external clock, so agent z's having perfect 
recall implies that the sequence (rj(0), . . . , ri{m)) must be encoded in rj(m + 1). To formalize 
this intuition, let agent i 's local-state sequence at the point (r, m) be the sequence of local 
states she has gone through in run r up to time m, without consecutive repetitions. Thus, if 
from time through time 4 in run r agent i has gone through the sequence (sj, Sj, s^, Sj, Sj) 
of local states, where Sj 7^ s-, then her local-state sequence at (r, 4) is (sj, s-, Sj). Intuitively, 
an agent has perfect recall if her current local state encodes her local-state sequence. More 
formally, we say that agent i has perfect recall in system TZ if, at all points (r, m) and (r', m!) 
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in VT{1Z), if (r', m!) G /Cj(r, m), then agent i has the same local-state sequence at both (r, m) 
and (r',m'). Thus, agent ? has perfect recall if she "remembers" her local-state sequence at 
all times. It is easy to check that perfect recall has the following key property: if (r', m[) E 
/Ci(r, mi), then for all m2 < mi, there exists m'2 < m[ such that (r', m'2) E JCi{r, 1112). (See 
[ |Fagin, Halpem, Moses, and Vardi 1995 1 for more discussion of this definition.) 



3 Secrecy in Nonprobabilistic Systems 
3.1 Defining Secrecy 

In this section, we give abstract definitions of secrecy and motivate these definitions using the 
runs and systems model. Roughly speaking, we define secrecy so as to ensure that low-level 
agents do not know anything about the state of high-level agents. In Section !?^ we formalize 
these intuitions using the epistemic logic of Section|2l 

The strongest notion of secrecy that we consider in this section is the requirement that a 
low-level agent, based on her local state, should never be able to determine anything about the 
local state of the high-level agent. More specifically, the low-level agent should never be able 
to rule out any possible high-level state. In terms of knowledge, this means that the low-level 
agent must never know that some high-level state is incompatible with her current low-level 
state. To ensure that the low-level agent L is not able to rule out any possible high-level states, 
we insist that every low possible low-level state is compatible with every possible high-level 
state. 

Definition 3.1: Agent j maintains total secrecy with respect to i in system TZ if, for all points 
(r,m) and (r',m') inPT(7^), /Ci(r, m) n /Cj(r', m') ^ 0. | 

Note that if we take i to be the low-agent L and j to be the high-level agent H, then this 
definition just formalizes the informal definition given above. At the point (r, m), L cannot 
rule out any possible local state of H. 

Total secrecy is a strong property. For almost any imaginable system, it is, in fact, too 
strong to be useful. There are two important respects in which it is too strong. The first respect 
has to do with the fact that total secrecy protects everything about the state of the high-level 
agent. In some systems, we might want only some part of the high-level agent's state to be 
kept secret from the low-level agent. For example, we might want the high-level agent to be 
able to see the state of the low-level agent, in which case our definitions are too strong because 
they rule out any correlation between the states of the high-level and low-level agents. We can 
correct this situation by extracting from iJ's state the information that is relevant and ensuring 
that the relevant part of H's state is kept secret. 

Definition 3.2: A j -information function on 7?. is a function / from VT(JZ) to some range that 
depends only on j's local state; that is /(r, m) = /(r', m') if rj{m) = r'-{m'). | 
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Thus, for example, if j's local state at any point (r, m) includes both its input and output, 
/(r, m) could be just the output component of j's local state. 

Definition 3.3: If / is a j-information function, agent j maintains total f -secrecy with respect 
to i in system TZ if, for all points (r, m) and values v in the range of /, /Cj(r, m) fl /^^(f ) 7^ 
(where f^^{v) is simply the preimage of v, that is, all points (r, m) such that /(r, m) = t>). | 

Of course, if /(r, m) = rj{m), then f^^{r'^{m!)) = /Cj(r',m'), so total secrecy is a special 
case of total /-secrecy. 

Total /-secrecy is a special case of nondeducibility, introduced by Sutherland [1986|. 
Sutherland considers "abstract" systems that are characterized by a set W of worlds. He fo- 
cuses on two agents, whose views are represented by information functions g and h on W. 
Sutherland says that no information flows from g to h if, for all worlds w, w' E W, there exists 
some world w" E W such that g{w") = g{w) and h{w") = h{w'). This notion is often called 
nondeducibility (with respect to g and h) in the literature. To see how total /-secrecy is a spe- 
cial case of nondeducibility, let W = VT{1Z), the set of all points of the system. Given a point 
(r, m), let g{r^ m) = ri{m). Then total /-secrecy is equivalent to nondeducibility with respect 
to g and /. 

Note that nondeducibility is symmetric: no information flows from gioh iff no information 
flows from h to g. Since most standard noninterference properties focus only on protecting the 
state of some high-level agent, symmetry appears to suggest that if the actions of a high-level 
agent are kept secret from a low-level agent, then the actions of a low-level agent must also be 
kept secret from the high-level agent. Our definitions help to clarify this issue. Total secrecy 
as we have defined it is indeed symmetric: j maintains total secrecy with respect to z iff z 
maintains total secrecy with respect to j. However, total /-secrecy is not symmetric in general. 
If j maintains total /-secrecy with respect to i, it may not even make sense to talk about i 
maintaining total /-secrecy with respect to j, because / may not be an i-information function. 
Thus, although /-secrecy is an instantiation of nondeducibility (with respect to an appropriate 
g and h), the symmetry at the level of g and h does not translate to symmetry at the level of 
/-secrecy, which is where it matters. 

While /-secrecy is useful conceptually, it is essentially a trivial technical generalization of 
the basic notion of secrecy, because for any agent j and j -information function /, we can reason 
about a new agent jf whose local state at any point (r, m) is rj^.{m) = f{rj, m). Therefore, 
every theorem we prove involving secrecy holds for /-secrecy as well. For this reason, and to 
simplify the definitions given in the remainder of the paper, we ignore information functions, 
and deal only with secrecy of one agent with respect to another. We remark that this ability to 
"create" new agents, by identifying an agent with a function on global states, turns out to be 
quite useful, since our definitions hold without change for any agent created this way. 

The second respect in which total secrecy is too strong involves time. To understand the 
issue, consider synchronous systems (as defined in Section|2l). In such systems, the low-level 
agent knows the time and knows that the high-level agent knows it too. Thus, the low-level 
agent can rule out all high-level states except those that occur at the current time. Even in 
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semisynchronous systems, where agents know the time to within some tolerance e, total secrecy 
is impossible, because low-level agents can rule out high-level states that occur only in the 
distant past or future. 

We now present two ways of resolving this problem. The first way weakens total secrecy 
by considering runs, instead of points. Total secrecy (of j with respect to i) says that at at all 
times, agent i must consider all state of j to be (currently) possible. A weaker version of total 
secrecy says that at all times, i must consider it possible that every possible state of j either 
occurs at that time, or at some point in the past or future. We formalize this in the following 
definition. Given a set U of points, let TZ{U) consist of the runs in TZ going through a point in 
U. That is, TZ{U) = {r E TZ : {r, m) E U for some m}. 

Definition 3.4: Agent j maintains run-based secrecy with respect to j in system TZ if, for all 
points (r, m) and (r', m') in VT (7^), 7^(/Ci(r, m)) n n{ICj{r', m')) ^ 0. | 

It is easy to check that j maintains run-based secrecy with respect to j in system TZ iff for 
all points (r, m) and (r',m') in T^T(TZ), there exists a run r" and times n and n' such that 
r"(n) = ri{m) and r'- [n') = r'j{m'). To relate the formal definition to its informal motivation, 
note that every state of j that occurs in the system has the form r'-{m') for some point (r', m'). 
Suppose that z's state is ri{m). If there exists a point (r", n") such that r"(n") = ri{m) and 
r'-{n") = r'-{m'), agent i considers it possible that j currently has state r'j{m'). If instead 
r"{n) = r'-{m') for n < n", then i currently considers it possible that j was in state r'-{m') 
at some point in the past; similarly, ii n > n", then i thinks that j could be in state r'j{m') at 
some point in the future. Note that total secrecy implies run-based secrecy, but the converse is 
not necessarily true (as shown in Example I A. 21) . While run-based secrecy is still a very strong 
security property, it seems much more reasonable than total secrecy. 

The second way to weaken total secrecy is to relax the requirement that the low-level agent 
cannot rule out any possible high-level states. We make this formal as follows. 

Definition 3.5: An i-allowability function on 7?. is a function C from T'TiTZ) to subsets of 
{TZ) such that /Ci(r, m) C C(r, m) for all (r, m) E {TZ). | 

Intuitively, T'T{TZ) — C{r, m) is the set of points that i is allowed to "rule out" at the point 
(r, m). It seems reasonable to insist that the points that i considers possible at (r, m) not be 
ruled out, which is why we require that /Cj(r, m) C C{r, m). 

Definition 3.6: If C is an ?-allowability function, then j maintains C -secrecy with respect to i 
if, for all points (r, m) E T^T{TZ) and (r', m!) E C{r, m), we have /Ci(r, m) fl /Cj(r', m') ^ 0. 
I 

If C{r,m) = T'T{TZ) for all points (r, m) E T'T{TZ), then C-secrecy reduces to total se- 
crecy. In general, allowability functions give a generalization of secrecy that is orthogonal to 
information functions. 
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Synchrony can be captured by the allowability function S{r, m) = {(r', m) : r' E TZ}. In- 
formally, this says that agent i is allowed to know what time it is. We sometimes call S-secrecy 
synchronous secrecy. In synchronous systems, synchronous secrecy has a simple characteriza- 
tion. 

Proposition 3.7: Agent j maintains synchronous secrecy with respect to i in a synchronous 
system IZ iff, for all runs r,r' eTZ and times m, we have that /Ci(r, m) fl /Cj (r', m) 7^ 0. 

Proof: This follows trivially from the definitions. I 

In synchronous input/output trace systems, synchronous secrecy is essentially equivalent to 
the standard notion of separability [McLean 1994|. (Total secrecy can be viewed as an asyn- 
chronous version of separability. See Section lOl for further discussion of this issue.) The 
security literature has typically focused on either synchronous systems or completely asyn- 
chronous systems. One advantage of our framework is that we can easily model both of these 
extreme cases, as well as being able to handle in-between cases, which do not seem to have 
been considered up to now. Consider a semisynchronous system where agents know the time 
to within a tolerance of e. At time 5, for example, an agent knows that the true time is in the 
interval [5 — e, 5 + e]. This corresponds to the allowability function SS{r,m) = {(r',m') : 
\m — m'\ < e}, for the appropriate e. We believe that any attempt to define security for 
semisynchronous systems will require something like allowability functions. 

The notions of run-based secrecy and C- secrecy are distinct, in the sense that there are 
systems where run-based secrecy holds and C-secrecy does not, and other systems where C- 
secrecy holds but run-based secrecy does not. If agents do not have perfect recall, we may have 
synchronous secrecy without having run-based secrecy, and if the system is asynchronous, 
we may have run-based secrecy without having synchronous secrecy. (See Appendix |Al for 
examples.) On the other hand, there are contexts in which the two approaches capture the same 
intuitions. Consider our definition of synchronous secrecy. While synchronous secrecy may 
seem like a reasonable condition, intuition might at first seem to suggest that it goes too far 
in weakening total secrecy. Informally, j maintains total secrecy with respect to i if i never 
learns anything not only about j's current state, but also his possible future and future states. 
Synchronous secrecy seems to say only that i never learns anything about j 's state at the current 
time. However, when agents have perfect recall, it turns out that synchronous secrecy implies 
run-based secrecy, thus addressing this concern. 

To make this precise for a more general class of allowability functions, we need the fol- 
lowing definition, which captures the intuition that an allowability function depends only on 
timing. Given any two runs, we want the allowability function to map points on the first run to 
contiguous, nonempty sets of points on the second run in a way that respects the ordering of 
points on the first run, and covers all points on the second run. 

Definition 3.8: An allowability function C depends only on timing if it satisfies the following 
three conditions: (a) for all runs r, r' G TZ, and all times m', there exists m such that (r', m') E 
C{r,m); (b) if (r',m') E C{r,m), and n > m (resp. n < m), there exists n' > m' (resp. 
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n' < m') such that {r' ,n') G C(r,n); (c) if {r',ni) E C{r,m), {r',n2) G C{r,m), and 
rii < m' < n2, then (r', m') G C(r, m). | 

It is easy to check that both synchronous and semi-synchronous allowability functions depend 
only on timing. We now show that C-secrecy implies run-based secrecy if C depends only on 
timing. 

Proposition 3.ft IfTZ is a system where i and j have perfect recall, C depends only on timing, 
and j maintains C-secrecy with respect to i, then j maintains run-based secrecy with respect 
to i. 

In synchronous systems with perfect recall, synchronous secrecy and run-based secrecy 
agree. This reinforces our claim that both definitions are natural, useful weakenings of total 
secrecy. 

Proposition 3.10: IfTZisa synchronous system where both i and j have perfect recall, then 
agent j maintains synchronous secrecy with respect to i iff j maintains run-based secrecy with 
respect to i. 

The requirement in Proposition 13 . 1 01 that both agents have perfect recall is necessary; see 
Example lA.il for details. Without perfect recall, two things can go wrong. First, if i does not 
have perfect recall, she might be able to determine at time n what j's state is going to be at 
some future time n' > n, but then forget about it by time n', so that j maintains synchronous 
secrecy with respect to i, but not run-based secrecy. Second, if j does not have perfect recall, 
i might learn something about j's state in the past, but j might still maintain synchronous 
secrecy with respect to i because j has forgotten this information by the time i learns it. These 
examples suggest that secrecy is perhaps not as interesting when agents can forget things that 
have happened in the past. Intuitively, we should be proving secrecy under the assumption 
of perfect recall, rather than trusting that agents will forget important facts whenever we want 
them to. 

3.2 Characterizing Secrecy Syntactically 

Our definition of secrecy is semantic; it is given in terms of the local states of the agents. As 
we shall see, it is helpful to reason syntactically about secrecy, using the logic of knowledge 
discussed in Section El Our goal in this section is to characterize secrecy in terms of the 
knowledge — or more precisely, the lack of knowledge — of the agent with respect to whom 
secrecy is maintained. To this end, we show that the state of an agent j is kept secret from an 
agent i exactly if i does not know any formulas that depend only on the state of j, or, dually, if 
i always thinks that any formula that depends on the state of j is currently possible. 

For this characterization, we use the modal logic of knowledge described in Sectional But 
first, we need to define what it means for a formula to depend on the local state of a particular 
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agent. Given an agent j, a formula (p is j -local in an interpreted system X if, for all points 
(r, m) and {r',m') such that rj{m) = r'-{m'), {2,r,m) \= (p iff (X, r',m') |= (f. It is easy 
to check that Lp is j -local in X iff X |= Kjip V Kj^ip; thus, j -locality can be characterized 
syntactically. (See pngelhardt, Meyden, and Moses 199 8 1 for an introduction to the logic of 
local propositions.) The notion of j-locality has another useful semantic characterization: 

Proposition 3.11: A formula p> is j-local in an interpreted system X = (7^, vr) iff there exists a 
set Q of j -information sets such that (X, r, m) |= (f exactly when (r, m) G Uicen ^• 

The following theorem shows that the semantic characterizations of secrecy given in Sec- 
tion |3lT] correspond closely to our intuitions of what secrecy should mean: agent j maintains 
secrecy with respect to i precisely if i cannot rule out any satisfiable facts that depend only on 
the local state of j. 

Theorem 3.12: Suppose thatC is an i-allowability function. Agent j maintains C -secrecy with 
respect to agent i in system IZ iff, for every interpretation n and point (r, m), ifip is j-local and 
(X, r', m') \= (pfor some (r', m') G C(r, m), then (X, r, m) \= Piip. 

Since total secrecy is just C-secrecy for the allowability function C such that C(r, m) con- 
sists of all point in TZ, the following corollary, which gives an elegant syntactic characterization 
of total secrecy, is immediate. 

Corollary 3.13: Agent j maintains total secrecy with respect to agent i in system 71 iff, for 
every interpretation tt, if the formula (f is j-local and satisfiable in X = (7^, tt), then X |= Pj^j. 

Corollarv l3 . 1 31 savs that total secrecy requires i not to know any j-local fact that is not valid 
in X. A similar result holds for synchronous secrecy. For brevity, and because we prove more 
general results in later sections, we ignore the details here. 

We can also give a similar syntactic characterization of run-based secrecy. For j to maintain 
total secrecy with respect to i, if is j-local, it is always necessary for i to think that Lp was 
possible. For run-based secrecy, we require only that i think that (p is possible sometime in the 
current run. Recall that the formula 9? means 'V is true at some point in the current run". 

Theorem 3.14: Agent j maintains run-based secrecy with respect to agent i in system TZ iff, 
for every interpretation tt, if(p is j-local and satisfiable in X = {TZ, vr), then X |= PjO 'P- 

The results of this section show that secrecy has a syntactic characterization that is equiva- 
lent to the semantic characterization. There are several significant advantages to having such a 
syntactic characterization. For one thing, it suggests that secrecy can be checked by applying 
model-checking techniques (although techniques would have to be developed to allow check- 
ing Pip> for all formulas p>). Perhaps more importantly, it suggests some natural generalizations 
of secrecy that may be of practical interest. For example, it may not be relevant that i not know 
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all satisfiable formulas. It may be enough for a system designer that i does not know only 
certain formulas. This may be particularly relevant for declassification or downgrading: if a 
noninterference property corresponds to a set of formulas that must be kept secret from the 
low-level agent, formulas can be declassified by removing them the set. Another significant 
generalization involves replacing knowledge by a more computational notion, such as algorith- 
mic knowledge IFagin, Halpem, M oses, and Vardi 1995[ [Halpem and Pucella 2003 a] . Recall 
that the definition of knowledge described in Section |21 suffers from the logical omniscience 
problem: agents know all tautologies and know all logical consequences of their knowledge 
IFagin, Halpem, Moses, and Vardi 1995J . In the context of security, we are more interested in 
what resource-bounded agents know. It does not matter that an agent with unbounded compu- 
tational resources can factor and decrypt a message as long as a resource-bounded agent cannot 
decrypt the message. By requiring only that an agent does not algorithmically know various 
facts, we can capture secrecy with respect to resource-bounded agents. 

4 Secrecy in Probabilistic Systems 

The definitions of secrecy that we have considered up to are possibilistic; they consider only 
whether or not an event is possible. They thus cannot capture what seem like rather serious 
leakages of information. As a motivating example, consider a system TZ with two agents Alice 
and Bob, who we think of as sitting at separate computer terminals. Suppose that L is a lan- 
guage with n words. At time 1, Bob inputs a string x G L chosen uniformly at random. At 
time 2, with probability 1 — e, the system outputs x directly to Alice's terminal. However, with 
probability e, the system is struck by a cosmic ray as Bob's input is transmitted to Alice, and in 
this case the system outputs a random string from L. (Bob receives no information about what 
Alice sees.) Thus, there are n{n + 1) possible runs in this system: n runs where no cosmic ray 
hits, and runs where the cosmic ray hits. Moreover, it is immediate that Bob maintains (pos- 
sibilistic) synchronous secrecy with respect to Alice even though, with very high probability, 
Alice sees exactly what Bob's input was. 

To reason about the unwanted information flow in this example, we need to add probability 
to the framework. We can do that in this example by putting the obvious probability measure 
on the runs in 71: 

• for each x Eh, the run where Bob inputs x and no cosmic ray hits (so that Alice sees x) 
gets probability (1 — e)/n. 

• for each pair (x, ?/) G L x L, the run where the cosmic ray hits. Bob inputs x, and Alice 
sees y gets probability e/n^. 

If Alice sees x, her posterior probability that Bob's input was x is 



PrA«jce(Bob typed x \ Alice sees x) 



e + n — ne 



n — 1 



1 



e. 



n 



n 
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If Alice sees x, her posterior probability that Bob's input was y ^ x is 

Pryiiice(Bob typed x I Alice sees y) = —. 

n 

Thus, if e > 0, even though Alice never learns with certainty that Bob's input was x, her 
probability that Bob input x rises from 1/ri to almost 1 as soon as she sees an x. 

In this section we introduce definitions of probabilistic secrecy. The definitions and the 
technical results we obtain closely resemble the definitions and results of the previous two 
sections. This is no coincidence. As we show in Section |5l probabilistic and possibilistic 
secrecy are instances of a definition of plausibilistic secrecy for which similar results can be 
proved in more generality. 

4.1 Defining Probabilistic Secrecy 

To reason about probabilistic security, we need a way to introduce probability into the mul- 
tiagent systems framework. There are actually two ways of doing this: we can either put a 
probability on points or a probability on runs. We consider putting a probability on points first, 
using a general approach described by Halpern II2003II . 

Given a system IZ, define a probability assignment VTZ to be a function that assigns to 
each agent i and point (r, m) a probability space VTZ{r, m, i) = {Wr,m,i, ^r,m,i, lJ^r,m,,i), where 
Wr^rn,i ^ VT(TZ) is i's Sample space at (r, m) and /ir,m,i is a probability measure defined on 
the subsets of Wr^m,i in J^r,m,i- (That is, Tr,m,i is a a-algebra that defines the measurable subsets 
of Wr,m,i-) We call a pair (7^, VTZ) a probability system. 

Given a probability system, we can give relatively straightforward definitions of probabilis- 
tic total secrecy and synchronous secrecy. Rather than requiring that an agent i think that all 
states of another j are possible, we require that all of those states be measurable and equally 
likely according to i's subjective probability measure. 

Definition 4.1: Agent j maintains probabilistic total secrecy with respect to agent i in {IZ, VIZ) 
if, for all points (r, m), (r', m'), and (r", m") in VT(JZ), we have ICj{r", m") fl /Cj(r, m) E 
^r,m,i, ICj{r", m") n /Ci(r', m') e J^r',m',i, and 

Air,m,j(/Cj(r", m") n /Ci(r, m)) = fir',m',i{K,j{r" , m") n /Ci(r', m'). 

I 

Probabilistic total secrecy is a straightforward extension of total secrecy. Indeed, if for 
all points (r, m) we have iir,m,i{{{r,m)}) > 0, then probabilistic total secrecy implies total 
secrecy (as in Definition 13. It . 

Proposition 4.2: If {7Z,V7Z) is a probability system such that /i^,™,* ^)}) > far all 
points (r, m) and j maintains probabilistic total secrecy with respect to i in {TZ, VTZ), then j 
also maintains total secrecy with respect to i in 7Z. 
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Like total secrecy, probabilistic total secrecy is an unrealistic requirement in practice, and 
cannot be achieved in synchronous systems. To make matters worse, the sets ICj{r",m") fl 
/Cj(r, m) are typically not measurable according to what is perhaps the most common approach 
for defining VTZ, as we show in the next section. Thus, even in completely asynchronous sys- 
tems, total secrecy is usually impossible to achieve for measurability reasons alone. Fortu- 
nately, the obvious probabilistic analogue of synchronous secrecy is a more reasonable condi- 
tion. 

Definition 4.3: Agent j maintains probabilistic synchronous secrecy with respect to agent i 
in {TZ, VTZ) if, for all runs r, r', r" and all times m, we have /Cj(r", m) fl /Ci(r, m) G J^r,m,i, 
1Cj{r" ,m) n ICi{r',m) G J^r',m,i, and 

fJ'r,m,i{K^j{r",m) n/Ci(r,m)) = fir',m,i{^j{r",m) n/Ci(r',m)). 

I 

Note that if we set up the cosmic ray system of the previous section as a probability system in 
such a way that Alice's probability on points reflects the posterior probabilities we described 
for the system, it is immediate that Bob does not maintain probabilistic synchronous secrecy 
with respect to Alice. 

We now consider definitions of probabilistic secrecy where we start with a probability on 
runs. Define a run-based probability system to be a triple {TZ, JF, /i), where 7?. is a system, is 
a cr-algebra of subsets of TZ, and is a probability measure defined on JF. Note that a run-based 
probability system requires only one probability measure, rather than a probability measure at 
each point for each agent. In practice, such a measure is often relatively easy to come by. In 
the same way that a set of runs can be generated by a protocol, a runs-based probability system 
can be generated by a probabilistic protocol: the probability of a set of runs sharing a common 
prefix can be derived by multiplying the probabilities of the protocol transitions necessary to 
generate the prefix (see [Halpern 2003t[Halpem and Tuttle 1993J for further discussion). 

Here and throughout the paper, we assume for simplicity that in a run-based probability 
system (TZ,J-',fi), T contains all sets of the form 7^(/Cj(r, m)), for all points (r, m) and all 
agents i. That is, if a set of runs is generated by an agent's local state, it is measurable. We also 
assume that /x(7?.(/Cj(r, m))) > 0, so that we can condition on information sets. 

Recall from Section l3TT] that run-based total secrecy requires that, for all points (r, m) and 
(r', m'), we have 7^(/Cj(r, m)) fl 7^(/Cj(r', m')) ^ 0. In other words, run-based total secrecy is 
a property based on what can happen during runs, rather than points. In a run-based probability 
system where all information sets have positive measure, it is easy to see that this is equivalent 
to the requirement that fi{TZ{}Cj{r' ,m')) \TZ{ICi{r,m))) > 0. We strengthen run-based total 
secrecy by requiring that these probabilities be equal, for all i-information sets. 

Definition 4.4 Agent j maintains run-based probabilistic secrecy with respect to i in {TZ, T , /i) 
if for any three points (r, m), (r', m'), (r", m") G VT{TZ), 

^i{TZ{K,{r'\m''))\TZ{}C,{r,m))) = fi{TZ{}C,{r'\m''))\TZ{}C,{r',m'))). 
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The probabilities for the cosmic-ray system were defined on sets of runs. Moreover, facts 
such as "Alice sees x" and "Bob typed y" correspond to information sets, exactly as in the 
definition of run-based probabilistic secrecy. It is easy to check that Bob does not maintain 
run-based probabilistic secrecy with respect to Alice. 

In Section 14.21 we consider the connection between probability measures on points and 
on runs, and the corresponding connection between probabilistic secrecy and run-based prob- 
abilistic secrecy. For the remainder of this section, we consider symmetry in the context of 
probabilistic secrecy. In Section ITTl we mentioned that our definitions of secrecy were sym- 
metric in terms of the agents i and j. Perhaps surprisingly, probabilistic secrecy is also a 
symmetric condition, at least in most cases of interest. This follows from a deeper fact: under 
reasonable assumptions, secrecy (of j with respect to i) implies the probabilistic independence 
of i-information sets and j -information sets. (See Lemma lCTTl in the appendix for more details.) 

Consider probabilities on points: if there is no connection whatsoever between VTZ{r, m, i) 
and VTZ{r, m,j) in a probability system (JZ, VIZ), there is obviously no reason to expect se- 
crecy to be symmetric. However, if we assume that the probabilities of i and j at (r, m) are 
derived from a single common probability measure by conditioning, then symmetry follows. 
This assumption, which holds for the probability systems we will consider here (and is standard 
in the economics literature [iMorris 19951 ). is formalized in the next definition. 

Definition 4.5: A probability system {JZ, VIZ) satisfies the common prior assumption if there 
exists a probability space {VT{TZ), Tcp, fJ-cp) such that for all agents i and points (r, m) e 
VT{TZ), we have /Ci(r, m) G J^w, fJ-cpi^^iir, m)) > 0, and 

VTZiir, m) = (/Ci(r, m),{U n Ki{r, m)\U e J^w}, fJ'cp \ }Ci{r, m))} 



In probability systems that satisfy the common prior assumption, probabilistic secrecy is sym- 
metric. 

Proposition 4.6: If {7Z, V7Z) is a probability system (resp., synchronous probability system) 
that satisfies the common prior assumption with prior probability fXcp, the following are equiv- 
alent: 

(a) Agent j maintains probabilistic total (resp., synchronous) secrecy with respect to i. 

(b) Agent i maintains probabilistic total (resp., synchronous) secrecy with respect to j. 

'Actually, it is more standard in the economics literature not to require that iJ,cp{f^i{r, m)) > 0. No require- 
ments are placed on /ir,m,i if Mcp(^i(^, ^)) = 0. See ^Halpern 2002J for a discussion of this issue. 
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(c) For all points {r,m) and {r',m'), HcpiJCjir' ,m') |/Cj(r, m)) = ficp{]Cj{r' ,m')) (resp., 
for all points {r,m) and {r',m), /icp(/Cj(r', m) |/Cj(r, m)) = fj,cp{K.jir' ,m) \ VT{m)), 
where VT{rn) is the set of points occurring at time m; that is, the events /Cj(r, m) and 
}Cj{r', m) are conditionally independent with respect to ficp, given that the time is m). 

In run-based probability systems there is a single measure fi that is independent of the 
agents, and we have symmetry provided that the system is synchronous or both agents have 
perfect recall. (If neither condition holds, secrecy may not be symmetric, as illustrated by 
Example lA.2n 

Proposition 4.7: If (JZ, JF, fi) is a run-based probability system that is either synchronous or 
one where agents i and j both have perfect recall, then the following are equivalent: 

(a) Agent j maintains run-based probabilistic secrecy with respect to i. 

(b) Agent i maintains run-based probabilistic secrecy with respect to j. 

(c) For all points (r, m), (r', m') G VT{1Z), 7l{]Ci{r, m)) and7l{)Cj{r' , m')) are probabilis- 
tically independent with respect to jji. 

4.2 From Probability on Runs to Probability on Points 

In the last section we described two ways of adding probability to systems: putting a probability 
on points and putting a probability on runs. In this section, we discuss an approach due to 
Halpem and Tuttle [ 1993 1 for connecting the two approaches. 

Given an agent i and a point (r, m), we would like to derive the probability measure /ir,m,i 
from fi by conditioning /i on /Cj(r, m), the information that i has at the point (r, m). The 
problem is that }Ci{r,Tn) is a set of points, not a set of runs, so straightforward conditioning 
does not work. To solve this problem, we condition ^ on 7?.(/Cj(r, m)), the set of runs going 
through /Cj(r, m), rather than on /Cj (r,m). Conditioning is always well-defined, given our 
assumption that 7^(/Cj(r, m)) has positive measure. 

We can now define a measure fXr,m,i on the points in /Ci(r, m) as follows. If S C TZ and 
A C VT{1Z), let A{S) be the set of points in A that lie on runs in S; that is, 

A{S) = {(r',m') eA:r'eS}. 

In particular, /Cj(r, m){S) consists of the points in /Cj(r, m) that lie on runs in S. Let ^r,m,i 
consist of all sets of the form /Cj(r, m)(S), where S E Then define 

/ir,m,i(/Ci(r, m)(5)) = I 7^(/Ci(r,m)). 

It is easy to check that if [/ C /Cj(r, m) is measurable with respect with respect to iJ,r,m,i, then 
lJ^r,m.,i{U) = ^{TZ{U) I 7?.(/Cj(r, m))). We say that the resulting probability system (7^, VTZ) is 
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determined by the run-based probability system {IZ, JF, jj), and call the underlying measure. 
We call a probability system standard if it is determined by a run-based probability system. 

Note that synchronous standard probability systems satisfy the common prior assumption, 
as defined in the previous section. If we assume that all runs are measurable, then we can sim- 
ply take Hcp{r,m) = /i(r)/2"*+^. This ensures that the time m points have the same relative 
probability as the runs, which is exactly what is needed. More generally, if VT{m) is the set 
of time m points and 5 is a measurable subset of IZ, we take jjicp{VT{m){S)) = /i(5)/2'"+^. 
It follows from Proposition 14.61 that probabilistic synchronous secrecy is symmetric in syn- 
chronous standard systems. 

In synchronous standard systems with perfect recall, probabilistic secrecy and run-based 
probabilistic secrecy coincide. (We remark that Example lA.ll shows that the requirement of 
perfect recall is necessary.) This provides further evidence that our notions of probabilistic 
secrecy are appropriate in synchronous systems. 

Proposition 4.8: If (Jl, VIZ) is the standard system determined by the synchronous run-based 
probability system (7Z, T , fi), and agents i and j have perfect recall in IZ, then agent j main- 
tains run-based probabilistic secrecy with respect to i in {7Z, JF, /i) iffj maintains probabilistic 
synchronous secrecy with respect to i in (7Z, VIZ). 

4.3 Characterizing Probabilistic Secrecy 

We now demonstrate that we can characterize probabilistic secrecy syntactically, as in the 
nonprobabilistic case. To do so, we must first explain how to reason about probabilistic for- 
mulas. Define an interpreted probability system X to be a tuple {IZ, VIZ, vr), where {IZ, VIZ) 
is a probability system. In an interpreted probability system we can give semantics to syntac- 
tic statements of probability. We are most interested in formulas of the form Prj((y9) = a (or 
similar formulas with <, >, etc., instead of =). Such formulas were given semantics by Fagin, 
Halpem, and Megiddo 119901 : we follow their approach here. Intuitively, a formula such as 
Prj(9?) = a is true at a point (r, m) if, according to fj.r,m,i, the probability that is true is given 
by a. More formally, (X, r, m) |= Pri{'f) = a if 

^r,m,i{{i'^'^'f^') ^ ^i{r,m) : {I,r',m') \= Lp}) = a. 

Similarly, we can give semantics to Prj((y9) < a and Pr(v?) > a, etc., as well as conditional 
formulas such as Pr((y9 \ijj) = a. Note that although these formulas talk about probability, they 
are either true or false at a given state. 

The semantics for a formula such as Prj((p) implicitly assumes that the set of points in 
/Cj(r, m) where Lp is true is measurable. While there are ways of dealing with nonmeasurable 
sets (see [Fagin, Halpern, and Megiddo 1990|), here we assume that all relevant sets are mea- 
surable. This is certainly true in synchronous standard systems determined by a a run-based 
system where all sets of runs are measurable. More generally, it is true in a probability system 
{TZ, VTZ) where, for all r, m, i, all the sets in the probability space VTZ{r, m, i) are measurable. 

The first result shows that we can characterize probabilistic total and synchronous secrecy. 
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Theorem 4.9: 

(a) If (JZ, VTZ) is a probabilistic system, then agent j maintains probabilistic total secrecy 
with respect to agent i iff, for every interpretation it and formula if that is j -local in 
I = {TZ, VTZ, tt), there exists a constant a such that I \= Pr j(v9) = a. 

(b) If {TZ,VTZ) is a synchronous probabilistic system, then agent j maintains probabilis- 
tic synchronous secrecy with respect to agent i iff, for every interpretation tt, time m, 
and formula ip that is j-local in I = (71, VTZ, n), there exists a constant such that 
(X, r, m) 1= Prj((y9) = (Jmfor all runs r eTZ. 

We can also characterize run-based secrecy in standard systems using the operator. For 
this characterization, we need the additional assumption of perfect recall. 

Theorem 4.10: If (JZ, VTZ) is a standard probability system where agent j has perfect recall, 
then agent j maintains run-based probabilistic secrecy with respect to agent i iff, for every 
interpretation tt and every formula ip that is j-local in I = {TZ, VTZ, tt), there exists a constant 
a such that I \= Prj(0 ^p) = cr- 

Example lA. 31 demonstrates that the assumption of perfect recall is necessary in Theorem 14. 101 
and that synchrony alone does not suffice. 

4.4 Secrecy in Adversarial Systems 

It is easy to capture our motivating "cosmic-ray system" example using a synchronous standard 
system because we assumed a probability on the set of runs. Furthermore, it is not hard to 
show that Bob does not maintain synchronous secrecy with respect to Alice in this system. 
However, there is an important and arguably inappropriate assumption that was made when we 
modeled the cosmic-ray system, namely, that we were given the probability with which Bob 
inputs various strings. While we took that probability to be uniform, that was not a necessary 
assumption: any other probability distribution would have served to make our point. The 
critical assumption was that there is a well-defined distribution that is known to the modeler. 
However, in many cases the probability distribution is no? known. In the "cosmic ray" example, 
if we think of the strings as words in natural language, it may not be reasonable to view all 
strings as equally likely. Moreover, the probability of a string may depend on the speaker: it is 
unlikely that a teenager would have the same distribution as an adult, or that people having a 
technical discussion would have the same distribution as people discussing a movie. 

This type of situation, where there is an initial nondeterministic step followed by a se- 
quence of deterministic or probabilistic steps, is quite common. The nondeterministic step 
could determine the choice of speaker, the adversary's protocol, or the input to a probabilistic 
protocol. Indeed, it has been argued [Rabin 1982T IVardi 1985 1 that any setting where there is 
a mix of nondeterministic, probabilistic, and deterministic moves can be reduced to one where 
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there is an initial nondeterministic move followed by probabilistic or deterministic moves. In 

such a setting, we do not have one probability distribution over the runs in a system. Rather, 
we can partition the set of runs according to the nondeterministic initial step, and then use 
a separate probability distribution for the set of runs corresponding to each initial step. For 
example, consider a setting with a single agent and an adversary. The agent uses a protocol 
p, and the adversary uses one of a set {gi, . . . , of protocols. The system TZ consists of 
all the runs generated by running (p, q^) for k = 1, . . . ,n. IZ can then be partitioned into n 
subsets Di, . . . , Dn, where Dj consists the runs of the joint protocol (p, qj). While we may 
not want to assume a probability on how likely the adversary is to use qj, typically there is a 
natural probability distribution on each set Dj. Note that we can capture uncertainty about a 
speaker's distribution over natural language strings in the same way; each protocol corresponds 
to a different speaker's "string-production algorithm". 

Formally, situations where there is a nondeterministic choice followed by a sequence of 
probabilistic or deterministic choices can be characterized by an adversarial probability sys- 
tem, which is a tuple {TZ, V, A), where 7^ is a system, D is a countable partition of 71, and 
A — {{D, Tb-, A^d) : -D G P} is a set of probability spaces, where //^ is a probability mea- 
sure on the cr-algebra Tn (on D e V) such that, for all agents i, points (?■, rn), and cells D, 
n{}Ci{r,m))r)D eJ^D and, if 7^(/Ci(r, m)) n L> 0, then /Xi3(7^(/Ci(r, m))) > 0. ^ 

There are several ways of viewing the cosmic-ray example as an adversarial probability 
system. If we view the input as a nondeterministic choice, then we can take D(x) to consist of 
all runs where the input is x, and letV = {D{x) : x eh}. The measure /j.^ on D{x) is obvious: 
the one run in D(x) where the cosmic ray does not strike gets probability 1 — e; the remaining n 
runs each get probability e/n. Note that we can assign a probability on D{x) without assuming 
anything about Bob's input distribution. Alternatively, we can assume there are k "types" of 
agents (child, teenager, adult, etc.), each with their own distribution over inputs. Then the 
initial nondeterministic choice is the type of agent. Thus, the set of runs is partitioned into sets 
Dj, j — 1, . . . , fc. We assume that agents of type j generate inputs according to probability 
Pij. In each set Dj, there is one run where Bob inputs x and the cosmic ray does not strike; it 
has probability FTj(x){l — e). There are n runs where Bob inputs x and the cosmic ray strikes; 
each gets probability Vxj[x)eln. 

We can identify an adversarial probability system with a set of run-based probability sys- 
tems, by viewing the measures in A as constraints on a single measure on TZ. Let Tv = 
'^(Udgv ^d), the (7-algebra generated by the measurable sets of the probability spaces of A. 
(It is straightforward to check that UeTviffU = [joev^D, where Ud e To-) Let A4(A) 
consist of all measures p on T such that (1) for all D E V, li p{D) > then fi] D = pu 
(i.e., /i conditioned on D is fio) and (2) for all agents i and points {r,m), there exists some 
cell D such that TZ{lCi{r,m)) r\ D ^ % and /i(-D) > 0. It follows from these requirements 
and our assumption that that if TZ{K,i{r, m)) (1 D ^ then uniT^i^iif, m) f] D) > that 
li{TZ{lCi{r, m)) > for all agents i and points (r, m). We can thus associate {TZ, V, A) with 

^We actually should have written fiD{'R-{ICi{r,m)) n D) rather than fii:){TZ{ICi{r,m))) here, since 
TZ{ICi{r,m)) is not necessarily in !Fd (and is certainly not in To if Tl{ICi{r, m,)) is not a subset of D). For 
brevity we shall continue to abuse notation and write ixd{U) as shorthand for iid{U fl D). 
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the set of run-based probability systems (7^, jF-p, /i), for /i G M{A). 

Rather than defining secrecy in adversarial systems directly, we give a slightly more gen- 
eral definition. Define a generalized run-based probability system to be a tuple (JZ, JF, A^), 
where is a set of probability measures on the cr-algebra JF. Similarly, define a generalized 
probability system to be a tuple (JZ, PR), where PR is a set of probability assignments. We 
can define secrecy in generalized (run-based) probability systems by considering secrecy with 
respect to each probability measure/probability assignment. 



Definition 4.11: Agent j maintains probabilistic total ( resp. synchronous) secrecy with respect 
to agent i in the generalized probabilistic system (JZ, PR) if, for all VTZ E PR, j maintains 
probabilistic total (resp. synchronous) secrecy with respect to i in (TZ, VIZ). Agent j maintains 
run-based secrecy with respect to agent i in the generalized probabilistic run-based system 
(IZ, T , M.) if, for all G M.-, j maintains run-based probabilistic secrecy with respect to % in 
{lZ,T,ii).t 



It is now straightforward to define secrecy in an adversarial systems by reducing it to 
a generalized probabilistic system. Agent j maintains run-based probabilistic secrecy with 
respect to % in (JZ, V, A) if j maintains run-based probabilistic secrecy with respect to i in 
{TZ, J-'t>, Ai{A)). Similarly, agent j maintains total (resp. synchronous) secrecy with respect 
to i in (TZ, V, A) if j maintains total (resp. synchronous) secrecy with respect to i in (JZ, PR), 
where PR consists of all the probability assignments determined by the run-based probability 
systems {TZ, J-'t>, fi) for fi G A^(A). A straightforward analogue of Proposition 14.71 holds for 
adversarial systems; again, secrecy is symmetric in the presence of assumptions such as perfect 
recall or synchrony. 



4.5 Secrecy and Evidence 

Secrecy in adversarial probability systems turns out to be closely related to the notion of evi- 
dence in hypothesis testing (see [Kyburg 1983| for a good overview of the literature). Consider 



this simple example: someone gives you a coin, which may be fair or may be double-headed. 
You have no idea what the probability is that the coin is fair, and it may be exceedingly unlikely 
that the coin is double-headed. But suppose you then observe that the lands heads on each of 
1,000 consecutive tosses. Clearly this observation provides strong evidence in favor of the coin 
being double headed. 

In this example there are two hypotheses: that the coin is fair and that it is double-headed. 
Each hypothesis places a probability on the space of observations. In particular, the probability 
of seeing 1000 heads if the coin is fair is 1/2^°°°, and the probability of seeing 1000 heads 
if the coin is double-headed is 1. While we can talk of an observation being more or less 
likely with respect to each hypothesis, making an observation does not tell us how likely an 
hypothesis is. No matter how many heads we see, we do not know the probability that the coin 
is double-headed unless we have the prior probability of the coin being double headed. In fact. 
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a straightforward computation using Bayes' Rule shows that if the prior probability of the coin 
being double-headed is a, then the probability of the coin being double-headed after seeing 
1000 heads is ,+((i_^)/2iooo • 

In an adversarial probability system (71,1), A), the initial nondeterministic choice plays 
the role of an hypothesis. For each D e V, can be thought of as placing a probability on 
observations, given that choice D is made. These observations then give evidence about the 
choice made. Agent i does not obtain evidence about the choices made if the probability of 
any sequence of observations is the same for all choices. 

Definition 4.12: Agent i obtains no evidence for the initial choice in the adversarial probability 
system (7^, P, A) if, for all D,D' eV and all points (r, m) such that n{lCi{r, m)) n D ^ 
and n{]Ci{r, m))f\D' ^0, we have 

A^i3(7^(/C^(r,m))) = i^D'{T^{ICi{r,m))). 

I 

Roughly speaking, i obtains no evidence for initial choices if the initial choices (other than 
i's own choice) are all secret. The restriction to cells such that TZ{K,i{r,m)) D D ^ and 
7^(/Ci(r, m)) n 7^ ensures that D and D' are both compatible with i's initial choice. 

To relate this notion to secrecy, we consider adversarial probability systems with a little 
more structure. Suppose that for each agent i = 1, . . . , n, there is a set INITi of possible 
initial choices. (For example, INITi could consist of a set of possible protocols or a set of 
possible initial inputs.) Let INIT = INITi x • • • x INITn consist of all tuples of initial 
choices. For yi e INITi, let Dy^ consist of all runs in 71 where agent i's initial choice is yi\ 
ify — {y\,...,yn) e INIT, then Dy — H^^iDy. consists of all runs where the initial choices 
are characterized by y. Let V = {Dy : y G INIT}. To model the fact that i is aware of 
his initial choice, we require that for all points (r, m) and agents i, there exists y such that 
7^(/Cj(r, m)) C Dy. If V has this form and each agent i is aware of his initial choice, we call 
{TZ, V, A) the adversarial system determined by INIT. 

If i obtains no evidence for the initial choice, she cannot learn anything about the initial 
choices of other agents. To make this precise in our framework, let Alf^^^(A) consist of 
the measures fj, e M(A) such that for all cells -D(j;i,...,3/„), we have fj(D(y^^,,„^y^)) = fi(Dy-) ■ 
IJ.{r\j^iDy.), i.e., such that the initial choices made by agent i are independent of the choices 
made by other agents. Intuitively, if the choices of i and the other agents are correlated, i learns 
something about the other agents' choices simply by making his own choice. We want to rule 
out such situations. Note that because all the information sets have positive probability (with 
respect to all /i G A1(A)) and, for all i, there exists an information set JCi{r,m) such that 
Dyi ^ Tl{ICi{r, ni)), the sets Dy^ must also have positive probability. It follows that INIT and 
V must be countable. 

Given i, let i~ denote the "group agent" consisting of all agents other than i. (In particular, if 
the system consists of only two agents, then i~ is the agent other than i.) The local state of i~ is 
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just the tuple of local states of all the agents other than i. Let fi- be the i~ -information function 
that maps a global state to the tuple of («~)'s initial choice. As we observed in Section ITTl 
our definitions apply without change to new agents that we "create" by identifying them with 
functions on global states. In particular, our definitions apply to i . 

Theorem 4.13: Let (TZ, V, A) be the adversarial probability system determined by INIT and 
suppose that TZ is either synchronous or a system where i has perfect recall. Agent i obtains 
no evidence for the initial choice in (JZ, V, A) iff agent maintains generalized run-based 
probabilistic fi- -secrecy with respect to i in (JZ, A^f^^"^(A)). 

The assumption of either symmetry or perfect recall is necessary because the proof relies 
on the symmetry of run-based secrecy (as established by Proposition 14.71 ). We do not need to 
assume perfect recall for agent i~ because the theorem deals with /j- -secrecy and, on every 
run, fi- is constant. It therefore follows that the "agent" associated with fi- (in the sense 
described in Section im has perfect recall even if does not. 

Thinking in terms of evidence is often simpler than thinking in terms of run-based proba- 
bilistic secrecy. This connection between evidence and secrecy is particularly relevant when it 
comes to relating our work to that of Gray and Syverson II1998I : see Section lOl 



5 Plausibilistic Secrecy 

So far, we have given definitions of secrecy for nonprobabilistic systems, for probability sys- 
tems (where uncertainty is represented by a single probabihty measure), and for generalized 
probability systems (where uncertainty is represented by a set of probability measures). All of 
these definitions turn out to be special cases of secrecy with respect to a general representation 
of uncertainty called a plausibility measure p^riedman and Halpern 1995| Friedman and Halpem 2001 1 



By giving a general definition, we can cull out the essential features of all the definitions, as 
well as point the way to defining notions of secrecy with respect to other representations of 
uncertainty that may be useful in practice. 

Recall that a probability space is a tuple {W, JF, /i), where is a set of worlds, JF is an 
algebra of measurable subsets of W, and ji maps sets in JF to elements of [0, 1] such that 
the axioms of probability are satisfied. A plausibility space is a direct generalization of a 
probability space. We simply replace the probability measure fx with a plausibility measure PI, 
which maps from sets in JF to elements of an arbitrary partially ordered set. If P1(A) < Pl(-B), 
then B is at least as plausible as A. Formally, a plausibility space is a tuple (VT, JF, D, PI), 
where D is a domain of plausibility values partially ordered by a relation <d, and where PI 
maps from sets in JF to elements of D in such a way that ifU C V, then Pl(f/) <d P1(^)- We 
assume that D contains two special elements denoted Td and such that Pl(Vr) = Td and 

P1(0) = ±D. 

As shown in [Friedman and Halpern 1995'; "Halpern 2003||, all standard representations of 



uncertainty can be viewed as instances of plausibility measures. We consider a few examples 
here that will be relevant to our discussion: 



22 



• It is straightforward to see that a probability measure is a plausibility measure. 

• We can capture the notion of "possibility" using the trivial plausibility measure Pltriv that 
assigns the empty set plausibility and all other sets plausibility 1. That is, D = {0, 1}, 

Pltriv(0) = 0, and Pltriv(f/) = 1 if f/ ^ 0. 

• A set of probability measures on a space W can be viewed as a single plausibil- 
ity measure. In the special case where is a finite set, say = {/ii, . . . , we 
can take Dm to consist of n-tuples in [0, 1]", with the pointwise ordering, and de- 
fine Pl^(f/) = (/ii(?7),...,/i„(?7)). Clearly P1>((0) = (0, . . . , 0) and Pl^(iy) = 
(1, . . . , 1), so J-Dai = (0, . . . , 0) and = (1, . . . , 1). If Ai is infinite, we consider a 
generalization of this approach. Let consist of all functions from ^A to [0, 1]. The 
pointwise order on functions gives a partial order on T)m'^ thus, J-d^i the constant 
function 0, and Td^ is the constant function 1 . Define the plausibility measure Pl^ by 
taking Flj^iU) to be the function fu such that fuifJ-) = ^^{U), for all G Ai. 

We can define secrecy using plausiblity measures by direct analogy with the probabilistic 
case. Given a system IZ, define a plausibility assignment VC on 7^ to be a function that assigns 
to each agent i and point (r, m) a plausibility space {Wr,m,i-, ^r,m,i-, ^K,m,i) \ define a plausiblity 
system to be a pair (IZ, VC), where VC is a plausibility assignment on IZ. We obtain defini- 
tions of total plausibilistic secrecy and synchronous plausibilistic secrecy by simply replacing 
"probability" by "plausibility" in Definitions lOl and |431 

Given a plausibility measure PI on a system IZ, we would like to define run-based plau- 
sibilistic secrecy and repeat the Halpem-Tuttle construction to generate standard plausibilistic 
systems. To do this, we need a notion of conditional plausibility. To motivate the definitions 
to come, we start by describing conditional probability spaces. The essential idea behind con- 
ditional probability spaces, which go back to Popper [ 1968J and de Finetti 1 1936 1, is to treat 
conditional probability, rather than unconditional probability, as the primitive notion. A con- 
ditional probability measure /i takes two arguments V and U ; /i(V, U) is generally written 
/i(V^ I U). Formally, a conditional probability space is a tuple {W, JF, JF', /i) such that JF is a 
(j-algebra over W , T' is a nonempty subset of T that is closed under supersets in T (so that 
if f/ G JF', f/ C \/, and V G JF, then V G JF), the domain of is JF x JF', and the following 
conditions are satisfied: 

• /i(f/|f/) = 1 iff/ G r. 

• if U e J^' and Vi, V2, V3, . . . axe pairwise disjoint elements of JF, then /^(Uj^iVi | U) = 

• /i(f/i n U2 1 U3) = KUi I U2 n f/3) ■ 1 Us) if f/i G ^ and f/2 n f/3 G r. 

The first two requirements guarantee that, for each fixed U G JF', | f/) is an unconditional 
probability measure. The last requirement guarantees that the various conditional probability 
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measures "fit together". As is standard, we identify unconditional probability with conditioning 
on the whole space, and write Ft(U) as an abbreviation for Pr(f/ | W). 

Given an unconditional probability space {W, T , /i), we immediately obtain a conditional 
probability space by taking T' to consist of all sets U such that /i(f/) 7^ and defining condi- 
tional probability in the standard way. However, starting with conditional probability is more 
general in the sense that it is possible to extend an unconditional probability space to a condi- 
tional probability space where T' contains sets V such that /i(f/) = 0. In other words, there 
exist conditional probability spaces {W, T , T' , fx) such that /i(f/ | W) = for some U E T' . 
This generality is useful for reasoning about secrecy, because (as we shall see) it is sometimes 
useful to be able to condition on sets that have a probability of 0. up needing to assume 

To generalize conditional probability to the plausibilistic setting, we need to define oper- 
ators © and ® that act as analogues of + and x for probability; these operators add useful 
algebraic structure to the plausibility spaces we consider. We extend the notion of an alge- 
braic plausibility spaces [ [Friedman and Halpern 1995[ [Halpern 200 P , "Halpe m 2003 1 to allow 
an analogue of countable additivity. We briefly sketch the relevant details here. 

A countably -additive algebraic conditional plausibility space (cacps) is a tuple {W, JF, JF', PI) 
such that 

• is a (T-algebra of subsets of W; 

• JF' is a nonempty subset of JF that is closed under supersets in JF; 

• there is a partially-ordered domain D such that, for each V E JF', Pl(- 1 V") is a plausibility 
measure on (W, JF) with range D (so, intuitively, the events in JF' are the ones for which 
conditioning is defined); and 

• there are functions © : D°° D and ® : D x D — > D such that: 

- if f/ G JF', Vi,V2, ■ . ., are pairwise disjoint elements of J-', and J is some subset of 
{1, 2, 3, . . . such that F\{Vi) = ± for i G J, then 

pi{uzM I u) = (Br=iPm I u) ©,^j pi(v^, I u). 

- if f/i, U2, U^eJ" and f/2 n f/3 G J^', then 

Pi(f/i n U2 1 U3) = Pi(f/i I f/2 n f/3) © Pi(f/2 1 f/3). 

- © distributes over©, more precisely, a©(©^i6j) = ©^i(a©fei) if (a, 6j), (a, ©^^foj) G 
Dom(©) and {bi, 62, . . .), (a © 61, a © 62, • • •) ^ Dom(©), where Dom(©) = 
{(Pl(\/i I U),F\{V2 \U),...) : Vi,V2,... E are pairwise disjoint and U E T'} 
and Dom(©) = {(Pl(f/i | f/2 n f/3), Pl(f/2 | f/3)) : f/2 n f/3 G F', f/i, f/2, f/3 G T}. 
(The reason that this property is required only for tuples in Dom(©) and Dom(©) 

is discussed shortly.) 

- if (a, c), (6, c) G Dom(©), a © c < 6 © c, and c 7^ ±, then a <b. 
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To understand the reason for the restriction to Dom(©) and Dom(®), consider probability. In 
that case, D is [0, 1], and we take (B'^ibi to be max(^^^ bi, 1). It is not too hard to show 
that the distributive property does not hold in general if bi > ^ (consider, for example 
a = 1/2, 6i = 62 = 2/3, and 6j = for i > 3); however, it does hold if J^'iLi^i < 1' ^ 
property that is guaranteed to hold if there exist sets V^, V2, . . . that are pairwise disjoint and a 
set U such that b^ = fi{Vi \ U) for some probability measure /i. 

It can be shown (see [ |Halpem 2001^ |Halpern 2003 1) that the constraints on cacps's imply 



that _L acts as an identity element for © and that T acts as an identity element for ®, just as 
and 1 do for addition and multiplication, as long as we restrict to tuples in Dom(©) and 
Dom((8)) , respectively, which is all we care about in our proofs. The constraints also imply that 
V\(U I f/) = T for f/ G J^. 

All the plausibility measures we considered earlier can be viewed as examples of cacps's. 
First, the trivial plausibility measure Pltriv is a cacps if we take © to be max and © to be min. 
A conditional probability space (as just defined) is a cacps simply by defining © as above, so 
that ©^i6i = iiiax(^^^ 6j, 1), and taking © to be multiplication. If we have a set M. of 
probability measures on a space W , we can construct a conditional plausibility measure Pl;^ 
in essentially the same way that we constructed an unconditional plausibility measure from 
the set M., so that V\^(y \ U) is the function fv\u from measures in Ai to [0, 1] such that 
fv \u{l^) = I U) if /i(f/) 7^ 0, and fy | c/(/i) = *, where * is a special "undefined" value, if 
/i(f/) = 0. To get a cacps, we simply define © and © pointwise (so that, for example, / © (7 is 
that function such that (/ © g) (/i) = /(/i) (BgifJ,)). There are subtleties involved in defining the 
set JF' on which conditioning is defined — in particular, care is required when dealing with sets 
U such that /i(f/) > for some, but not all, of the measures in Ai. These issues do not affect 
the results of this paper because we assume that the information sets on which we condition 
have positive probability, so we ignore them here. See Halpem [|2003J for more details. 

Define a run-based plausibility system to be a cacps (JZ, JF, JF', PI) . Instead of requiring that 
fi{Tl{}Ci{r,Tn))) > as in the probabilistic case, we now require that lZ{K,i{r,m)) E T' for 
all agents % and points (r, m). This requirement guarantees that conditioning on TZ(}Ci{r, m)) 
is defined, but is easier to work with than the requirement that n(JZ{ICi{r, m))) > 0. We can 
now repeat the Halpem-Tuttle construction to generate standard plausibilistic systems. With 
this construction, we can explain how the results of Sections 14.11 14.21 and 14.31 carry over to 
the more general plausibilistic setting. In general, the results extend by replacing + and x 
consistently in the proofs by © and ©, but some care is required. We summarize the details 
here without stating them as formal results; a technical discussion appears in the appendix. 



Proposition l4. 81 generalizes to run-based plausibility systems. 

Theorems 14 . 91 and 14 . 1 01 carry over to the plausibilistic setting (with essentially the same 
proofs) once we define a language for reasoning about plausibility analogous to the lan- 
guage for reasoning about probability, with formulas of the form Pli((/3) = a. 

Proposition l4.61 generalizes. given a common prior Pl^p, provided that © is commutative. 
For total secrecy we require that for all points (r, m) we have Plcp(/Cj(r, m) \ VT{TZ)) 7^ 



25 



_L and Plcp(/Cj(r, m) | VTijV)) ^ ±; similarly, for synchronous secrecy we require that 
for all points we have Plcp(/Cj(r, m) | VT{m)) ^ ± and Plcp(/Cj(r, m) | VT{m)) ^ ±. 

• Proposition l4.7l generalizes provided that ® is commutative and that for all points (r, m) 
we have Pl(7^(/Ci(r, m)) | 7^) ^ ± and Pl(7^(/CJ(r, m)) | 7^) ^ ±. 

• Theorem l4. 13l can be extended once define adversarial plausibility systems appropriately. 

These results demonstrate the essential unity of our definitions and theorems in the prob- 
abilistic and nonprobabilistic cases, and suggest further generalizations. In particular, it may 
be worthwhile to consider definitions of secrecy that use representations of uncertainty that are 
based on representations of uncertainty that are more qualitative than probability. For exam- 
ple, in the cosmic-ray example, we might consider a measure with three degrees of likelihood: 
"impossible", "possible but very unlikely", "possible and likely". This would let us handle 
examples where strange, unlikely things might happen, while maintaining the simplicity of the 
nonprobabilistic definitions presented in Section ISTTl 



6 Related Work 

We are certainly not the first to discuss formal definitions of secrecy: many definitions have 
been proposed over the last two decades. One reason for this is that researchers have sought an 
"ideal" definition of security that is, for example, easy to verify and composable (in the sense 
that if two systems maintain secrecy then their composition does too). While we certainly 
agree that composability and verifiability are important properties, we believe that the intu- 
ition behind secrecy should be isolated from stronger properties that happen to imply secrecy- 
especially when we have to worry about subtle issues such as probability and nondeterminism. 

In this section we consider how our definitions relate to other attempts to define information- 
flow conditions. We show in particular how it can capture work that has been done in the 
synchronous setting, the asynchronous setting, and the probabilistic setting. Because there are 
literally dozens of papers that have, in one way or another, defined notions of secrecy or pri- 
vacy, this section is in no way meant to be comprehensive or representative. Rather, we have 
chosen examples that inspired our definitions, or examples for which our definitions give some 
insight. In light of our earlier comments, we also focus on definitions that have tried to cap- 
ture the essence of secrecy, rather than notions that have been more concerned with issues like 
composability and verification. 

One important strand of literature to which we do not compare our work directly here 
is the work on defining information flow and noninterference using process algebras related 
to CCS and CSP; see, for example, HFocardi and Gorrieri 1994t IFocardi and Gorrieri 200 It 
Ryan and Schneider 1999[ [Ryan, Schneider, Goldsmith, Lowe, a nd Rosc oe 200 1| |. We be- 



lieve that these definitions too are often best understood in terms of how they capture our 
notions of secrecy. However, a careful discussion of this issue would take us too far afield. 
In future work we plan to consider the issue in detail, by describing how processes can be 
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translated to the runs and systems framework in a way that captures their semantics and then 
showing how some of the process-algebraic definitions can be recast as examples of secrecy. 
In HHalpem and O'Neill 2003 1 we give one instance of such a translation: we show how defi- 
nitions of anonymity given using CSP by Schneider and Sidiropoulos LI 996 1 can be captured 
in the runs and systems framework. 

6.1 Secrecy in Trace Systems 

Many papers in computer security define notions of secrecy (often referred to as "noninterfer- 
ence") using using trace-based models. Traces are usually defined as sequences of input and 
output events, where each event is associated with some agent (either as an input that she pro- 
vides or an output that she sees). However, there have been some subtle differences among the 
trace-based models. In some cases, infinite traces are used; in others, only finite traces. In addi- 
tion, some models assume that the underlying systems are synchronous, while others implicitly 
assume asynchrony. Although "asynchronous" system models have been more common, we 
first consider synchronous trace-based systems. 

Both McLean lfT994l and Wittbold and Johnson 119901 present their definitions of secu- 
rity in the context of synchronous input/output traces. These traces are essentially restricted 
versions of the runs introduced in this paper. Here we consider a slightly simplified version 
of McLean's framework and describe two well-known noninterference properties within the 
framework. 

Let LI and HI be finite sets of high-level and low-level input variables, and let LO and 
HO be finite sets of high-level and low-level output variables. We assume that these sets are 
pairwise disjoint. A tuple t = {k, hi, lo, ho) (with k E LI, hi E HI, lo E LO, and ho E HO) 
represents a snapshot of a system at a given point in time; it describes the input provided to 
the system by a low-level agent L and a high-level agent H, and the output sent by the system 
to L and H. A synchronous trace r = {ti,t2, . . .) is a sequence of such tuples. It represents 
an infinite execution sequence of the entire system by describing the input/output behavior of 
the system at any given point in time.^ A synchronous trace system is a set S of synchronous 
traces, representing the possible execution sequences of the system. 

In a synchronous trace system, the local state of an agent can be defined using a trace pro- 
jection function. For example, let \l be the function projecting r onto the low-level input/output 
behavior of r, so that if 

r = {^,h!p,J^,h^),{j}t\h!P,jf^,h^),..), 

then 

-II = ((/«,/«), ),...). 

Similarly, we can define a function \h that extracts high-level input/output traces and a function 
\hi that extracts just high-level input traces. 

^The traces are said to be synchronous because the input and output values are specified for each agent at each 
time step, and both agents can infer the time simply by looking at the number of system outputs they have seen. 
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Given a trace r = (ti, ^2, ■ ■ ■), the length k prefix of r is = (ti, ^2, • • • , ik), i-e-, the finite 
sequence containing the first k state tuples of the trace r. Trace projection functions apply to 
trace prefixes in the obvious way. 

It is easy to see that synchronous trace systems can be viewed as systems in the multiagent 
systems framework. Given a trace r, we can define the run r"^ such that r^(m) = (t^Il, TtuIh)- 
(For simplicity, we have omitted the environment state from the global state in this construction, 
since it plays no role.) Given a synchronous trace system S, let 7^(S) = {r"^ : r G S}. It is 
easy to check that -R(S) is synchronous, and that both agents L and H have perfect recall. 

McLean defines a number of notions of secrecy in his framework. We consider two of the 
best known here: separability IMcLean 19941 dMA generalized noninterference P>4cCullough 1987 1. 
Separability, as its name suggests, ensures secrecy between the low-level and high-level agents, 
whereas generalized noninterference ensures that the low-level agent is unable to know any- 
thing about high-level input behavior. 

Definition 6.1: A synchronous trace system E satisfies separability if, for every pair of traces 
r, r' G S, there exists a trace t" G S such that t"\l = t\l and t"\h = t'\h- I 

Definition 6.2 A synchronous trace system E satisfies generalized noninterference if, for every 
pair of traces r, r' G S, there exists a trace t" G S such that t"\l = t\i and t"\hi = t'Ihi- I 

These definitions are both special cases of nondeducibility, as discussed in Section lSTTI take 
the set of worlds to be S, the information function (7 to be |l, and the information function 
/i to be |h (for separability) and \hi (for generalized noninterference)."* In our framework, sep- 
arability essentially corresponds to synchronous secrecy, whereas generalized noninterference 
corresponds to synchronous | j^z-secrecy. The following proposition makes this precise. Let fhi 
be the information function that extracts a high-level input trace prefix from a point in exactly 
the same way that \hi extracts it from the infinite trace. 

Proposition 6.3: If a synchronous trace system S satisfies separability (resp., generalized 
noninterference), then H maintains synchronous secrecy (resp., synchronous fhrsecrecy) with 
respect to L inlZiJl). 

Proof: We prove the result for separability. The proof for generalized noninterference is similar 
and left to the reader. Suppose that S satisfies separability. Let and be runs in 7^(S). We 
want to show that, for all times m, we have that /CL(r'^, m) fl JCnir'^ , m) 7^ 0. Since a satisfies 
separability, there exists a trace r" G S such that t"\l = t|l and t"\h = t'Ih- It follows 
immediately thatr/^|L = t^Il and t^\h = 'r'J\H- Thus, (r^" ,m) G /CL(r^,m) fl /CH(r^',m). 
I 

"^Actually, it is not difficult to see that if the information functions g and h are restricted to trace projection 
functions, then nondeducibihty is essentially equivalent in expressive power to selective interleaving functions, 
the mechanism for defining security properties introduced by McLean 119941 . 
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The converse to Proposition l6.3l is not quite true. There is a subtle but significant difference 
between McLean's framework and ours. McLean works with infinite traces; separability and 
generalized noninterference are defined with respect to traces rather than sets of points (i.e., 
trace prefixes). To see the impact of this, consider a system S where the high-level agent inputs 
either infinitely many O's or infinitely many I's. The output to the low-level agent is always 
finitely many O's followed by infinitely 1 's, except for a single trace where the high-level agent 
inputs infinitely many O's and the low-level agent inputs infinitely many O's. Thus, the system 
consists of the following traces, where we have omitted the low-level inputs since they do not 
matter, and the high-level outputs, which can taken to be constant: 

(0'=1°°,0°°), A; = 0,1, 2, 3,... 
(0'=1°°,1'^), A; = 0,1,2,3,... 
(0°°,0°°). 

In the system 7?.(S), H maintains synchronous secrecy and thus synchronous /^i -secrecy with 
respect to L, because by looking at any finite trace prefix, L cannot tell whether the high- 
level inputs have been O's or I's. However, S does not satisfy separability or generalized 
interference. If L "sees" infinitely many O's, he immediately knows that the high-level inputs 
have been O's. This seems unreasonable. After all, agents only makes observations at finite 
points in time. 

Note that if r is a trace where the low-level outputs are all O's and the high-level inputs are 
all 1 's, each finite prefix of the trace r is a prefix of a trace in S, even though r is not in S. This 
turns out to be the key reason that the system satisfies synchronous secrecy but not separability. 

Definition 6.4: A synchronous trace system E is limit closed HEmerson 19831 if, for all syn- 
chronous traces r, we have r G S iff for every time k there exists a trace r' G S such that 

Under the assumption of limit closure, we do get the converse to Proposition |631 

Proposition 6.5: A limit-closed synchronous trace system S satisfies separability ( resp. gener- 
alized noninterference) ijf H maintains synchronous secrecy (resp., synchronous fhr secrecy) 
with respect to L inlZ{T,). 

While we believe that it is unreasonable in general to assume that an agent's view includes 
the entire run (as McLean's definitions implicitly do), these results nonetheless demonstrate 
the close connection between our definition of synchronous /-secrecy and security properties 
such as separability and generalized noninterference. 

Up to now we have considered a synchronous trace model, where the input and output 
events of high and low users occur in lockstep. However, many trace-based definitions of 
security are given in an asynchronous setting. We consider a number of definitions of secrecy 
in this setting. For uniformity we use the terminology of Mantel [2003|, who has carefully 
compiled a variety of well-known trace-based properties into a single framework. 
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In Mantel's framework, traces are not infinite sequences of input/output event tuples, but 
finite sequences of input/output events. For example, if / and /' are low-level events while h 
and h' are high-level events, a possible system trace could be 

r = {l,h,l,h',h',l',l',l,h). 

As with synchronous trace systems, we denote a projection function for a set A by \a- Thus, if 
r is defined as above, we have 

rU = (/,/,/',/',/), 

where \l is the low -level projection function. Note that because asynchronous traces are se- 
quences of events, rather than tuples, the low-level projection function ignores high-level events 
altogether. This means that a low-level view of the system may remain completely unchanged 
even as many, many high-level input events occur. 

An asynchronous trace system is a set of traces that is closed under trace prefixes. There is 
a straightforward way of associating with each system a set of runs. A set T of traces is run-like 
if, for all traces ri and T2 in T, either ri is a prefix of T2 or T2 is a prefix of ri. Intuitively, a 
run corresponds to a maximal run-like set of traces. More formally, let T be a maximal set of 
run-like traces. Note that if T is infinite, then for all n > there exists exactly one trace in T 
of length n (where the length of (to, • • • , tn-i) is n); if T is finite, then there is some > 
such that T has exactly one trace of length n for all n < A^. If T is infinite, let the run be 
such that r^{m) = {t"^\l, t^^Ih), where is the unique trace in T of length m. If T is finite, 
let be such that r^{m) = {t"^\l, t"^\h) if m < N, where A^ is the length of the longest 
trace in T, and r'^{m) = r'^{N) if m > N; that is, the final state repeats forever. Given an 
asynchronous trace system E, let 7?.(S) denote the set of all runs of the form r^, where T is a 
maximal set of run-like traces in S. 

Trace-based security properties are usually expressed as closure properties on sets of traces, 
much like our possibilistic definitions of secrecy; see FMantel 20001 for more details. We 
focus here on definitions of asynchronous separability and generalized noninterference, given 
by Zakinthinos and Lee LI 997 J . 

Definition 6.6: An asynchronous trace system S satisfies asynchronous separability if, for all 
traces r, r' G S, if r" is a trace that results from an arbitrary interleaving of the traces t\l and 
t'\h, then t" G S. | 

The definition of generalized noninterference is slightly more complicated, because the trace 
that results from interleaving does not include high inputs: 

Definition 6.7: An asynchronous trace system S satisfies asynchronous generalized noninter- 
ference if, for all traces r, r' G S, if t" is a trace that results from an arbitrary interleaving of 
the traces t\l and t'\hi, there exists a trace t'" such that r'"|iuj^/ = r"|Lu/f/- ■ 

It is straightforward to relate these definitions to secrecy. Exactly as in the synchronous 
case, let fhi be an information function that extracts a high-level input trace prefix from a 
point: if r^(m) = (r|i, t\h), let Ai(r^, m) = t\hi. 
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Proposition 6.8: If S is an asynchronous trace system that satisfies asynchronous separability 
(resp. asynchronous generalized noninterference), then H maintains total secrecy (resp. total 
fhi-secrecy) with respect to L inlZ{T). 

The converse of Proposition l6.8l does not necessarily hold. We demonstrate this by provid- 
ing a counterexample that works for both separability and generalized noninterference. Sup- 
pose that there are no high output events, only one low output event lo, and arbitrary sets LI 
and HI of low and high input events, respectively. Consider the system consisting of all traces 
r involving these events such that /„ occurs at most once in r, and when it occurs, it does not 
follow any high input events. In 7?.(S), H maintains total secrecy and //ij-secrecy with respect 
to L, because any local state for L is compatible with any local state for H . (Because the 
system is asynchronous, L learns nothing by seeing lo- when L sees he thinks it possible 
that arbitrarily many high input events could have occurred after lo. Furthermore, L learns 
nothing about H when he does not see lo'. it is always possible that no high input events have 
occurred and that lo may yet occur.) However, S does not satisfy asynchronous separability 
or asynchronous generalized noninterference, because interleavings where a high input event 
precedes lo are ruled out by construction. 

This example illustrates a potential weakness of our approach to secrecy. Although H 
maintains total secrecy with respect to L in 7^(S), there is a sense in which L learns something 
about H. Consider a point (r, m) in 7^(S) at which L has not seen lo. At that point, L knows 
that if a high event has occurred, he will never see lo. This knowledge does not violate secrecy, 
because it does not depend on the local state of H; it is not an iJ-local fact. But there is a 
sense in which this fact can be said to be "about" H . It is information about a correlation 
between high events and a particular low event. Is such information leakage a problem? We 
have not been able to construct an example where it is. But it is worth pointing out that all of 
our definitions of secrecy aim to protect the local state of some particular user. Any "secret 
information" that cannot be characterized as a local proposition is not protected. 

In any case, we can show that total secrecy and separability are equivalent if we assume 
a particularly strong form of asynchrony that rules out a temporal dependence between high 
and low events. Formally, S is closed under interleavings if for all asynchronous traces r and 
r', if r G S, t'\l = t\l and t'\h = t'\h, then r' G S. Though this requirement allows L 
to learn about high events that may occur in the future (or that have possibly occurred in the 
past), it rules out any knowledge of the ordering of high and low events in a given run. With 
this requirement, total secrecy and asynchronous separability coincide. 

Proposition 6.9: If S is an asynchronous trace system that is closed under interleavings, then 
S satisfies asynchronous separability iffH maintains total secrecy with respect to L inlZill). 

A similar result is true for generalized noninterference and //ij-secrecy if we modify the 
definition of closure under interleavings to allow L to learn something about the ordering of 
high output events; we omit the details here. 
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6.2 Secrecy and User Protocols 



Generalized noninterference, within the context of McLean's synchronous input/output traces, 
captures the intuition that the low-level agent cannot rule out any high-level input traces. But 
is protecting the input of the high-level agent enough to guarantee secrecy? In more than one 
way, it is not. The first problem, of course, is the use of possibility as an uncertainty measure. 
The second problem is captured by the following example, which illustrates the fact that the 
string input by a high-level user may be completely divorced from the message she wants to 
send. Consider the following synchronous trace system, a simplified version of one described 
by Wittbold and Johnson ifT^^ and Gray and Syverson 112211 ■ 

• All input/output values are restricted to be either or 1 . 

• At each time step k, the high-level output value hi^^ is nondeterministically chosen to be 
either or 1 . 

• At each time step i, the low-level output value lo is ho © , where © is the 

(k) 

exclusive-or operator and is the high-level input at time i. 

• For completeness, suppose that the low-level output at time 1 is 0, since hi^^^^ is not 
defined at the first time step. (What happens at the first time step is unimportant.) 

The set of traces that represents this system satisfies noninterference. At any time i, l^o^ 
depends only on h'f'^ and h^o^^\ But as the following table shows, any value of /o'^^ is consistent 

ik) 

with any value of hi : 
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Thus, given traces r, r' , we can construct a new trace r" by taking the low-level input/output 
of r and the high-level input of r'. For the high-level output of the resulting trace, we take 
h^o^ = li''^^^ (Bhf'^^^ . Because t" is a valid trace of the system, the system satisfies generalized 
noninterference. 

The problem with this system is that a malicious high-level agent (for example, a "trojan 
horse" program) who knows how the system works can transmit arbitrary strings of data di- 
rectly to the low-level agent. If the high-level agent wants to transmit the bit x at time k and 
sees the high-level output bit y at time k — 1, then she can ensure that the low-level output is x 
at time k by inputting the bit a; © y at time k. 

Wittbold and Johnson 111 9901 point out that examples such as this show that generalized 
noninterference does not guarantee security. We claim that the fundamental problem is not with 
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generalized noninterference per se, but rather with an underlying system model that assumes 
that everything relevant to the state of the high-level agent can be captured using input/output 
traces. If we model an agent's local state so that it includes a protocol for transmitting a 
specific string to another agent, generalized noninterference does not ensure secrecy. 

To deal with the problem they noted, Wittbold and Johnson introduced nondeducibility on 
strategies (NOS). We modify their definition slightly so that it is compatible with McLean's 
framework of synchronous traces. A protocol H is a function from a high-level input/output 
trace prefix rfe|// to a high-level input value hi G HI. Intuitively, a protocol tells the agent H 
what to do at each step, given what he has already seen and done. A trace r is consistent with 
a protocol H if, for all k, H(rfc„i|iif) = hf \ where hf'' is the high-level input value of the 
kih. tuple in r. A synchronous trace system S satisfies nondeducibility on strategies if, for all 
traces r G S and every high-level strategy H consistent with some trace in S, there exists a 
trace r' that is consistent with H such that t'\l = t\l. If the protocol of the high-level agent 
is included as part of her local state, and fstmt is an iJ-information function that extracts the 
protocol of the high-level agent from the local state, then it is straightforward to show that NOS 
is just synchronous /^trar secrecy. 

Gray and Syverson II1998I extend NOS to probabilistic systems using the Halpem-Tuttle 
framework. In Gray and Syverson's terminology, low-level and high-level agents use proba- 
bilistic protocols L and H, respectively. Again, the protocols (H and L) determine what the 
agents H and L will input next, given what they have seen and done so far. The system is 
assumed to have a fixed probability distribution O that determines its output behavior, given 
the inputs and outputs seen so far. Formally, for each trace prefix r of length A;, H(- | (r|iy)) is a 
probability measure on high-level input events that occur at time k + 1, given the projection of 
T onto the high-level input/output; similarly, L(- | (r|i)) is a probability measure on low-level 
input events that occur at time k + 1 and 0(- | r) is a probability measure on output events that 
occur at time k+1, given r. Gray and Syverson require that the choices made by H, L, and 
the system at each time step be probabilistically independent. With this assumption, H, L, and 
O determine a conditional distribution that we denote /Uh.l.Oj where 

/^L,H,o((^j, hi, h, ho) I r) = L{k I (^|l)) ■ HiK \ {t\h)) ■ 0{lo, holr). 

Let A and T be countable sets of protocols for the low -level and high-level agents, re- 
spectively.^ Given A, F, and O (and, implicitly, sets of low and high input and output val- 
ues), we can define an adversarial probability system TZ*{A, F, O) in a straightforward way. 
Let S consist of all synchronous traces over the input and out values. For each joint pro- 
tocol (L, H) G A X F, let 7^(S, L, H) consist of all runs defined as in our earlier mapping 
from synchronous traces to runs, except that now we include L in the low-level agent's local 
state and H in the high-level agent's local state. Let 7^(S, A x F) = U(L,H)eAxr'^(S, L, H). 
We can partition TZ{T., A x F) according to the joint protocol used; let V^A, F) denote this 

^Gray and Syverson take A and F to consist of all possible probabilistic protocols for the low-level and high- 
level agent, respectively, but their approach still makes sense if A and F are arbitrary sets of protocols, and it 
certainly seems reasonable to assume that there are only countably many protocols that H and L can be using. 
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partition. Given the independence assumptions, the joint protocol (L, H) also determines a 
probability /iL,H,o on 7^(S,L,H). LetA(A,r,0) = {/iL,H,o : L G A,H G T}. Let 
7^*(A,^,0) = (7^(S,A x T),V,A}. We can now define Gray and Syverson's notion of 
secrecy in the context of these adversarial systems. 

Definition 6.10: An adversarial system TZ*(A, F, O) satisfies probabilistic noninterference if, 
for all low-level protocols L G A, points (r, m) where L's protocol is L, and high-level proto- 
cols H,H' G r, wehave/i(L,H,o)(ACL(r,m)) = /i(L,H',o)(/CL(r, m)). | 

Theorem 6.11: The following are equivalent: 

(a) 71* {A, r, O) satisfies probabilistic noninterference; 

(b) L obtains no evidence about H 's protocol ( in the sense ofDeiinition \4.12{ in 7^* (A, F, O); 

(c) H maintains generalized run-based probabilistic fstrat- secrecy with respect to L in (7?.(S, Ax 
r), A1^^^^(A(A, r, O))), where fstrat is the information function that maps from H 's lo- 
cal state to H's protocol; 

(d) H maintains generalized probabilistic synchronous f stmt- secrecy with respect to L in the 
standard generalized probability system determined by (7^(S, AxF), A^^^^^(A(A, F, O))). 

Proof: The fact that (a) implies (b) is immediate from the definitions, since //'s initial choice 
is the protocol H. The equivalence of (b) and (c) follows from Theorem 14.131 Finally, since 
the traces in S are synchronous, the equivalence of (c) and (d) follows from Proposition l4.8[ | 



7 Conclusion 

We have defined general notions of secrecy for systems where multiple agents interact over 
time, and have given syntactic characterizations of our definitions that connect them to logics 
of knowledge and probability. We have applied our definitions to the problem of characteriz- 
ing the absence of information flow, and have shown how our definitions can be viewed as a 
generalization of a variety of information- flow definitions that have been proposed in the past. 

We are not the first to attempt to provide a general framework for analyzing secrecy; see, for 
example, IIFocardi and Gorrieri 20(711 iMantel 200"ni IMcLean 19^ |Ryan and Schneider 1999} 
IZakinthi nos and Lee 19971 for some other attempts. However, we believe that our definitions 
are more closely related to the intuitions that people in the field have had, because those defi- 
nitions have often been expressed in terms of the knowledge of the agents who interact with a 
system. 

Our definitions of probabilistic secrecy, and their plausibilistic generalizations, demonstrate 
the underlying simplicity and unity of our definitions. Likewise, our results on the symmetry 
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of secrecy illustrate the close connection between notions of secrecy and independence. The 
definitions and results that we have presented, and their underlying intuitions of knowledge and 
independence, do not depend on the particular system representation that we describe here, so 
they should be broadly applicable. 

Indeed, although we have discussed secrecy largely with respect to the kinds of input and 
output systems that have been popular with the theoretical security community, our definitions 
of secrecy apply in other contexts, such as protocol analysis, semantics for imperative pro- 
gramming languages, and database theory. Chor, Goldreich, Kushilevitz, and Sudan [1998], 
for example, consider the situation where a user wants to query a replicated database for some 
specific database item, but wants a guarantee that no one will be able to determine, based on 
his query, which item he wants. It is not hard to show that the definition of privacy given by 
Chor et al. is a special case of secrecy in an adversarial system with a cell corresponding to 
each possible item choice. 

There are several possible directions for future work. One is the verification of secrecy 
properties. Because we have provided syntactic characterizations of several secrecy proper- 
ties in terms of knowledge and local propositions, it would seem that model-checking tech- 
niques could be applied directly. (Van der Meyden II1998I gives some recent results on model- 
checking in the runs and systems framework.) However, verifying a secrecy property requires 
verifying an infinite set of formulas, and developing techniques to do this efficiently would 
seem to require some nontrivial advances to the state of the art in model checking. Of course, 
to the extent that we are interested in more limited forms of secrecy, where an agent is restricted 
from knowing a small set of formulas, knowledge-based model-checking techniques may be 
immediately applicable. At any rate, we emphasize that it is our goal in this paper to provide 
general techniques for the specification, rather than the verification, of secrecy. 

Another direction for future work is a careful consideration of how secrecy definitions can 
be weakened to make them more useful in practice. Here we briefly consider some of the issues 
involved: 

• Declassification: Not all facts can be kept secret in a real-world computer system. The 
canonical example is password checking, where a system is forced to release information 
when it tells an attacker that a password is invalid. Declassification for information-flow 
properties has been addressed by, for example, Myers, Sabelfeld, and Zdancewic [2004 1. 
It would be interesting to compare their approach to our syntactic approach to secrecy, 
keeping in mind that our syntactic definitions can be easily weakened simply by remov- 
ing facts from the set of facts that an agent is required to think are possible. 

• Computational secrecy: Our definitions of secrecy are most appropriate for attackers 
with unlimited computational power, since agents "know" any fact that follows logi- 
cally from their local state, given the constraints of the system. Such an assumption is 
unreasonable for most cryptographic systems, where secrecy depends on the inability 
of attackers to solve difficult computational problems. The process-algebraic approach 
advocated by Mitchell, Ramanathan, Scedrov, and Teague [2004| and the work on prob- 
abilistic algorithm knowledge of Halpern and Pucella 1.2003b J may help to shed light on 
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how definitions of secrecy can be weakened to account for agents with computational 
limitations. 

• Quantitative secrecy: Our definitions of probabilistic secrecy require independence: an 
agent's posterior probability distribution on the possible local states of a secret agent 
must be exactly the same as his prior distribution. This requirement can be weakened 
using the information-theoretic notions of entropy and mutual information. Rather than 
requiring that no information flow from one user to another, we can quantitatively bound 
the mutual information between their respective local states. Information-theoretic ap- 
proaches to secrecy have been discussed by Wittbold and Johnson HI 9901 . and more 
recently by Clark, Hunt, and Malacaria 120021 . Lowe II2002I . andDi Pierro, Hankin, and 
Wiklikcy li2002J . 

• Statistical privacy: In some systems, such as databases that release aggregate statisti- 
cal information about individuals, our definitions of secrecy are much too strong be- 
cause they rule out the release of any useful information. Formal definitions of secrecy 
and privacy for such systems have recently been proposed by Evfimievski, Gehrke, and 
Srikant and by Chawla, Dwork, McSherry, Smith and Wee |2005|. These defini- 
tions seek to limit the information that an attacker can learn about a user whose personal 
information is stored in the database. It would be interesting to cast those definitions as 
weakenings of secrecy. 

These weakenings of secrecy are all conceptually different, but it seems highly likely that 
there are relations and connections among them. We hope that our work will help to clarify 
some of the issues involved. 

Acknowledgments: We thank Riccardo Pucella, Andrei Sabelfeld, and Ron van der Meyden 
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and criticism, and Niranjan Nagarajan, who suggested a probability measure that led to Exam- 
pleO 

A Examples of Systems 

In this section, we give examples of simple systems that show the limitations of various the- 
orems. All the systems involve only two agents, and we ignore the environment state. We 
describe each run using the notation 

where Xj ^ is the local state of agent i at time k. For asynchronous systems, we assume that the 
final global state — (Xj 3, Xj^), in the example above — is repeated infinitely. For synchronous 
systems we need different states at each time step, so we assume that global states not explicitly 
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listed encode the time in some way, so change at each time step. For notational simplicity, we 
use the same symbol for a local state and its corresponding information set. 

Example A.l: Suppose that the synchronous system TZ consists of the following two runs: 
. n = {{X,A),{Y,,B,),{Y2,B2),...) 

. r2 = ((z,A),(ri,Ci),(r2,C2),...) 

Note that agent 2 has perfect recall in TZ, but agent 1 does not (since at time agent 1 knows the 
run, but at all later times, he does not). It is easy to check that agent 2 maintains synchronous 
secrecy with respect to 1, but not run-based secrecy, since lZ{Bi) fl TZ{Z) = 0. 

For the same reasons, if we take the probability measure jj, onTZ with /i(ri) = /i(r2) = 1/2, 
probabilistic synchronous secrecy and run-based probabilistic secrecy do not coincide. This 
shows that the perfect recall requirement is necessary in both Propositions 13 . 1 01 and 14 . 81 1 

Example A.l: Suppose that the TZ consists of the following three runs (where, in each case, 
the last state repeats infinitely often): 

. n = {{x,A)...) 

. r2 = ((X,i?),(y,A)...) 
. rs = {{Y,A)...), 

It is easy to see that agent 2 maintains run-based secrecy with respect to agent 1 in TZ, but 
not total secrecy or synchronous secrecy (since, for example, Y f] B = (/}). 

Now consider a probability measure fionlZ such /u(ri) = /^(rs) = 2/5, and /i(r2) = 1/5. 
Then ^u(7^(A) | 7^(X)) = /i(7^(A) | TZiY)) = 1 and ^i{JZ{B) \ 7^(X)) = Ai(7^(fi) | TZ{Y)) = 
1/3, so agent 2 maintains run-based probabilistic secrecy with respect to 1 in 7^. 1 does not 
maintain probabilistic secrecy with respect to 2 in {IZ, fi), since fi(JZ(X) \ TZ{A)) = 3/5, while 
ji{lZ{X) 1 1Z{B)) = 1. Thus, if the agents do not have perfect recall and the system is not 
synchronous, then run-based probabilistic secrecy is not necessarily symmetric. I 

Example A.3: Suppose that the synchronous system TZ consists of the following four runs: 

. ri = ((x,A),(yi,Ci),(r2,c^2),...) 

. r, = {{X,B),{Y^,D,),{Y,,D2),...) 
. rs = {{Q,A),{R,,D^),{R2,D2),...) 
. n={iQ,B),iR,,C2),{R2,C2),...) 
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Note that agent 2 does not have perfect recall in TZ, although agent 1 does. Let fi give each 
of these runs equal probability. It is easy to check that for all i > 1, n(Jl{A) \ TZ(X)) = 

^(7^(A) 1 7^(g)) = 1/2, /i(7^(5) |7^(x)) = fi{n{B)\niQ)) = 1/2, ^(7^(Q) 1 7^(x)) = 

fi{n{Ci)\n{Q)) = l/2,and/i(7^(A) |7^(X)) = /i(7^(A;) I 7^(g)) = 1/2. Because 7^(X) = 
TZ{Yi) and 71{Q) = TZ{Ri) for all i > 1, it follows that agent 2 maintains run-based probabilis- 
tic secrecy with respect to 1 in {IZ, fi). 

Now, let p be a primitive proposition and let tt be an interpretation such that p is true 
if 2's local state is either A or Di. Thus, p is 2-local in X = {TZ,h,tt). Since fi{Tl(A) U 
n{Di) I 7^(X)) = 1 while fiin{A) U n{Di) I 7^(Q)) = 1/2, there is no constant a such that 
X \= Pri(Op) = cr. This shows that the assumption that agent j has perfect recall is necessary 
in Theorem 14 .101 | 

B Proofs for Section H 

Proposition l3.9t If 71 is a system where i and j have perfect recall, C depends only on timing, 
and j maintains C -secrecy with respect to i, then j maintains run-based secrecy with respect 
to i. 

Proof: Given (r, m) and {r',m'), we must find a run r" and times mi and m2 such that 
r"(mi) = rj(m) and rj(m2) = rj{m'). Because C depends only on timing, there exists a 
point (r, n) such that (r', m') G C{r, n). The proof now splits into two cases: 

• Suppose that n > m. By C-secrecy, there exists a point (r",m2) such that r-'(m2) = 
Tiin) and r'-{m2) = r'j{m'). Because i has perfect recall, there exists some nii < 1712 
such that rf (mi) = ri{m). 

• Suppose that m > n. Because C depends only on timing, there exists n' > m' such that 
(r', n') G C(r, m). By C-secrecy, there exists a point (r", m2) such that r ■'(m2) = rj(m) 
and r'-{m2) = r'j{n'). Because j has perfect recall, there exists some mi < m2 such that 

rj(mi) = r'j{m'). 

I 

Proposition |33S //7^ is a synchronous system where both i and j have perfect recall, then 
agent j maintains synchronous secrecy with respect to i iff j maintains run-based secrecy with 
respect to i. 

Proof: Suppose that agent j maintains synchronous secrecy with respect to j in IZ. Because 
both i and j have perfect recall, j maintains run-based secrecy with respect to i by Proposi- 
tionESl 

Conversely, suppose that j maintains run-based secrecy with respect to i. Given runs r, r' G 
TZ and any time m, there exists a run r", and times n and n' , such that r'!{n) = ri{m) and 
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r'-{n') = r'-{m). By synchrony, m = n = n' , and we have r^'(m) = rj(m) and rj(m) = r'-{m). 
Thus j maintains synchronous secrecy with respect to i. | 

Proposition l3.11t A formula ip is j-local in an interpreted system X = (JZ, n) iff there exists 
a set Q of j -information sets such that (X, r, m) \= ip whenever (r, m) G Uyceri ^• 

Proof: Suppose that cp is j-local. Let 

Q = {/Cj(r, m) I (T, r, m) 

If (X, r, m) 1= then /Cj(r, m) G i7 by definition, so (r, m) G IJ/ceQ Likewise, if (r, m) G 
^Ken '•^^'^ (^^5 ^ "^') some (r', m') such that (X, r', m') |= y?. By j-locality, 

(X, r, m) 1= ip>. 

Conversely suppose that there exists a set of j-information sets n such that (X, r, m) |= 
whenever (r, m) G IJ/cen need to show that is j-local. Suppose that rj{m) = r'j{m'). 

If {I,r,m) \= Lf, then (r, m) G /Cj(r",m") for some K,j{r'\m") G ^2, and clearly {r',m') G 
JCj{r", m") C IJ^gf^ /C too, so (X, r', m') |= by assumption. | 

Theorem I3.12t Suppose that C is an i-allowability function. Agent j maintains C -secrecy 
with respect to agent i in system TZ iff, for every interpretation n and point (r, m), ifip is j-local 
and (X, r', m') \= ipfor some (r', m') G C(r, m), then (X, r, m) \= Piip. 

Proof: Suppose that j maintains C-secrecy with respect to i in IZ. Let tt be an interpretation, 
let (r, m) be a point, and let (/? be a formula that is j-local such that (X, r', m') |= (/? for some 
{r',m') G C{r,m). By C-secrecy, there exists a point {r",m") G /Ci(r, m) fl K,j{r\m'). 
Because 99 is j-local, (X, r", m") |= ^9. Thus (X, r, m) |= Pjty?, as required. 

For the converse, given (r, m) G VT(JZ) and (r', m') G C(r, m), let tt be an interpretation 
such that 7r(r", m")(p) = true iff (r",m") G K,j{r\m'). LetX = (7^, vr). Clearly, p is j-local. 
By assumption, (X, r, m) |= Pjp. Thus, there exists some point {r",m") G ICi{r,m) such 
that (X, r",m") |= p. By definition, (r",m") G ICj{r',m'). Because {r",m") G ICi{r,m) fl 
JCj{r', m'), j maintains C-secrecy with respect to i in 7?.. I 

Theorem I3.14t Agent j maintains run-based secrecy with respect to agent i in system TZ iff, 
for every interpretation vr, ifip is j-local and satisfiable in X = {TZ, tt), then X |= PjO ^■ 

Proof: Suppose that j maintains run-based secrecy with respect to i. Let tt be an interpretation 
and let (/? be a j-local formula formula that is satisfiable in X = {IZ, vr). Choose a point (r, m). 
Because is satisfiable, there exists a point (r', m') such that (X, r', m') |= Because j 
maintains run-based secrecy with respect to i, there exist a run r" and times n and n' such 
that r"(?2) = rj(m) and rj(n') = rj{m'). By j-locality, (X, r",n') |= It follows that 
(X, r", n) 1= V', and that (X, r, m) |= PjO as desired. 

For the converse, given points (r, m) and (r',m'), let tt be an interpretation such that 
n{r",m"){p) = true iff (r", m") G /Cj(r',m'). We must show that 7^(/Ci(r, m))n7?.(/Cj(r', m')) ^ 
0. Clearly p is j-local and satisfiable, so {I,r,m) |= PjOp- Thus, there exists a point 
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{r",n) G /Cj(r, m) such that (X,r",n) \= '^p. By definition of p, there exists n' such that 
(r", n') G /Cj(r', m'). It follows that r" G n{ICi{r, m)) n n{ICj{r', m')). ■ 



C Proofs for Section! 

Proposition I4.2t If (Jl,V7l) is a probability system such that fir,m,i{{{r,m)}) > for all 
points (r, m) anJ j maintains probabilistic total secrecy with respect to i in (Jl, VIZ), then j 
also maintains total secrecy with respect to i in 71. 

Proof: Suppose that j maintains probabilistic total secrecy with respect to i in {TZ, VIZ), and 
(r, m) and (r',m') are arbitrary points. Then (taking {r",m") = {r',m') in the definition) 
we have fir,m,ii}^jir',Tn') fl /Cj(r, m)) = fir',m',ii}^jir' ,m') fl /Cj(r',m')). But {r',m') G 
]Cj{r',m') n ICi{r',m'), so /ir',m',i(/Cj(r', m') n /Ci(r',m')) > P'r' ,m' ,i{{{r' , m')}) > 0, by 
assumption. Thus, /ir,m,j(/Cj(r', m') fl /Cj(r, m)) > 0, from which it follows that /Cj(r', m') fl 
/C,(r,m)^0. I 

The following result is proved by Gill, van der Laan, and Robins f 19971; see also Griinwald 
and Halpem 12003.. Theorem 3.1]. (A more general version is stated and proved as Proposition 

EU) 

Lemma C.l: Suppose that n is a probability on W, X,Y C W, 11,1^2, ■ ■ ■ is a countable 
partition ofYC W, and X,Yi,Y2, . . . are all measurable. The following are equivalent: 

(a) ji{X I Yi) = ji{X I Yj) for all Yi, Yj such that piYi) > and p{Yj) > 0. 

(b) p{X I Yi) = p{X I Y) for all Yi such that fi{Yi) > 0, i.e., Yi is conditionally independent 
of X given Y. 

Proposition I4.6t If (7Z, V7Z) is a probability system (resp., synchronous probability system) 
that satisfies the common prior assumption with prior probability ficp, the following are equiv- 
alent: 

(a) Agent j maintains probabilistic total (resp., synchronous) secrecy with respect to i. 

(b) Agent i maintains probabilistic total (resp., synchronous) secrecy with respect to j. 

(c) For all points (r, m) and (r',m'), /icp(/Cj(r', m') |/Cj(r, m)) = p,cp{ICj{r' ,m')) (resp., 
for all points (r, m) and (r', m), ficp{}Cj{r', m) \ }Ci{r, m)) = ficp{}Cj{r', m) \ VT{m)), 
where VT{m) is the set of points occurring at time m; that is, the events /Ci(r, m) and 
}Cj{r', m) are conditionally independent with respect to ficp, given that the time is m). 
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Proof: We prove the synchronous case here. The proof for total secrecy is almost identical and 
left to the reader. Recall that j maintains probabilistic synchronous secrecy with respect to i if, 
for all times m and all runs r, r', r", 

fJ'r,m,i{^j{^" ^ ^) ^ "^)) = /ir',m,i(/Cj(r", m) H /Ci(r', m)). 

Because (JZ,VTZ) satisfies the common prior assumption with prior probability yUcp, this re- 
quirement can be restated as 

ficp{JCj{r", m) I /Ci(r, m)) = ficp{Kj{r", m) \ /Ci(r', m)). 

By Lemma ICn taking Y = VT{m) and the Kj's to be the z-information sets at time m, 
it follows that j maintains probabilistic synchronous secrecy with respect to i iff ICj{r", m) is 
conditionally independent of ICi{r,m) conditional on VT{m) for all runs r and r" . By the 
symmetry of conditional independence, it immediately follows that this is true iff i maintains 
probabilistic synchronous secrecy with respect to j. | 

Lemma C.2: IfTZisa system where agent i has perfect recall and Vt is an arbitrary set of 
i-information sets, then there exists a set Q' (1 Q such that {R{IC) \ K, G Vt'} is a partition of 

Proof: Define a set /C G i7 to be dominated by a set /C' G f2 if /C 7^ /C' and there exists a run r 
and times m' < m such that (r, m) G /C and (r, m') G JC'. Let fi' consist of the information sets 
in f2 that are not dominated by another set in fi. Note that if r G UjcenT^i^^), then r G 7^(/C') 
for some JC' G fi'. To see this, consider the set i7(/C) consisting of /C and all information sets in 
^7 that dominate /C. By perfect recall, i's local state sequence at each information set in fi(/C) is 
a (not necessarily strict) prefix of i's local state sequence in /C. Let JC' be the information set in 
il{IC) where i's local state sequence is shortest. It follows that JC' is not dominated by another 
information set in ^l(IC). Furthermore, if there exists an information set /C" G — r2(/C) that 
dominates JC', then JC" would dominate JC as well, contradicting the construction of Q(K). 
Therefore, /C' G n' and r G /C'. Thus U^^^^, 7^(/C) = [j^^^n{IC). Moreover, if /C and IC' 
are different sets in fi', then TZ(IC) and 7^(/C') must be disjoint, for otherwise one of JC or JC' 
would dominate the other. | 

Proposition^ If{n,T,fi) is a run-based probability system that is either synchronous or 
one where agents i and j both have perfect recall, then the following are equivalent: 

(a) Agent i maintains run-based probabilistic secrecy with respect to i. 

(b) Agent i maintains run-based probabilistic secrecy with respect to j. 

(c) For all points {r,m) and {r',m'), lZ{lCi{r , m)) and 7l{)Cj{r' ,171')) are probabilistically 
independent with respect to fi. 
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Proof: First, note that if TZ is synchronous or if i has perfect recall, then there exists a collection 
n of ? -information sets such that the set {-R(/C) | /C G f2} is a partition of TZ. In the case of 
perfect recall, this follows by Lemma IC.2I applied to the set of all information sets (whose 
union is clearly TZ). With synchrony we can take to consist of sets of the form 7^(/Cj(r, m)), 
for some fixed time m. 

Now, suppose j maintains run-based probabilistic secrecy with respect to i. By definition, 

/i(7^(/C, (r", m")) I 7^(/C,(r, m))) = /i(7^(/C, (r", m")) | 7^(/C,(r^ m'))) 

for all points {r,m), (r',m'), and (r",m"). In particular, for all /C,/C' e f2, and all points 
(r', m'), /i(7^(/CJ(r', m') | 7^(/C))) = iiiJliJCjir', m')) \ 7^(/C')). By LemmalCTlit follows that 
fx{n{]Cj{r', m")) I 7^(/C)) = fx{n{}Cj{r' , m"))) for all information sets /C G fi. But then it fol- 
lows by secrecy that n(JZ{}Cj{r', m')) \ 7?.(/Cj(r, m))) = fi(Jl(}Cj{r' , m')) for all ^-information 
sets TZ{}Ci{r, m)). Therefore TZ{}C j{r', m')) and 7?.(/Cj(r, m)) are independent for all informa- 
tion sets }Cj{r',m') and /Cj(r, m). Thus secrecy implies independence, and this holds if we 
reverse the roles of i and j. 

It is also clear that independence implies secrecy. For suppose that (c) holds . Then, for all 
points (r, m), (r', m'), and (r", m"), we have 

/^(7^(/C,(r",m")) |7^(/C,(r,m))) = /i(7^(/C,(r", m"))) = /i(7^(/C,(r^ m")) | 7^(/C,(r^ m'))), 

so that j maintains run-based probabilistic secrecy with respect to i. Similarly, i maintains 
secrecy with respect to j. | 

Proposition l4.8t If (JZ, VIZ) is the standard system determined by the synchronous run-based 
probability system (JZ, JF, fi) and agents i and j have perfect recall in 7Z, then agent j main- 
tains run-based probabilistic secrecy with respect to i in (JZ, JF, ju) iffj maintains probabilistic 
synchronous secrecy with respect to i in (JZ, VIZ). 

Proof: Clearly if j maintains run-based probabilistic secrecy with respect to i in (JZ, ji) and 
{7Z, VTZ) is the standard system determined by JZ, /x) then, at all times m, 

lJ'r,m,i{^j{r", m) n ICi{r, m)) = /i(/Cj(r", m) | ICi{r, m)) 

= n{JCj{r", m) I lCi(r', m)) 
= yUr',m,i(/Cj(r", m) D ICi{r', m)), 

so j maintains probabilistic synchronous secrecy with respect to i in (TZ, VTZ). 

For the converse, suppose that j maintains probabilistic synchronous secrecy with respect 
to i in JZ, VTZ). We want to show that, for all points (r, m), (r', m'), and (r", m"), 

M7^(/C,(r^m'0)|7^(/C,(r,m))) =M7^(/C,(r^m'0)|7^(/C,(r',m'))). (1) 

We first show that, for all runs r and r" and times m and m", 

ixjZ{lC,{r", m")) I 7^(/C,(r, m))) = /i(7^(/C,■(r", m")) \ 7^(/Ci(r, m"))). (2) 



42 



Since © also holds with r replaced by r', ([T]) easily follows from © and the assumption that 
j maintains probabilistic synchronous secrecy with respect to i. 

To prove Q, we consider two cases: m < m" and m" < m.\im < m" then, by synchrony 
and perfect recall, we can partition the runs in TZ{ICi{r, m)) according to z's local state at time 
m" . Let Vt = {/Cj(r*, m") \ r* G 7^(/Ci(r, m))}. By perfect recall and synchrony, 7^(/Cj(r, m)) 
is the disjoint union of the sets in fi. Thus, 

M7^(/C,(r^m"))|7^(/C,(r,m))) 
= Eyc6oM^(/C,(r",m")) ^7^(/C) |7^(/C.(r,m))) 
= E!csnf^in}C,{r",m"))\n{}C)) ■ /i(7^(/C) | 7^(/C.(r, m))) 

= n{Tl{}Cj{r", m")) \ Tl{ICi{r, m"))) ■ Y^jcen /^('^(^) I T^i^ii^-, ^))) [by synchronous secrecy] 
= fiin{IC,{r",m"))\n{IC,{r,m"))). 

The argument is similar if m" < m. We now partition the runs in lZ{lCi{r, m")) according 
to i's local state at time ni and the runs in 7^(/Cj(r", m")) according to j's local state at time 
m. Define 

= {/C,(r^m)|r*e7^(/C.(r,m")}. 

and 

VLj = {/Cj.(r*,m) I r* G n{)Cj{r" ,m"))}. 

We now have 

fi{n{}Cj{r", m")) I 7^(/C^(r, m"))) 

= ^K.en, Ey^en. I ^(^.)) " -"(^(^.) I ^Ur, m"))) 

= ^K.en, f^iniC,) I i?(/C.)) ■ Ek:,^^, /^(^(^^) I ^(^^(^ '^"))) 

as needed. | 
Theorem 1491 

(a) If (JZ, VIZ) is a probabilistic system, then agent j maintains probabilistic total secrecy 
with respect to agent i iff, for every interpretation tt and formula (p that is j -local in 
I = {TZ, VTZ, it), there exists a constant a such that I \= Vii^ip) = a. 

(b) If (7Z,V7Z) is a synchronous probabilistic system, then agent j maintains probabilis- 
tic synchronous secrecy with respect to agent i iff, for every interpretation tt, time m, 
and formula ip that is j-local in I = {TZ, VTZ, tt), there exists a constant am such that 
{I, r, m) 1= PTi{{p) = am for all runs r eTZ. 

Proof: We prove part (b) here. The proof of (a) is similar. 
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Suppose 71 is synchronous and that j maintains synchronous probabilistic secrecy with 
respect to i. Let vr be an interpretation, m be an arbitrary time, and be a j -local formula in 
J = (JZ, n, it). Because is j-local, by Proposition l3.1 11 there exists a set n of j-information 
sets such that {I,r,m) \= ip iff (r,m) G U^cgq^- Let ^ = [J/cen^- Let 5* = {r' G 
I (r', m) G and let n(m) = {K, E \ (r', m) E K, for some r' G TZ}. Since j maintains 
synchronous probabilistic secrecy with respect to i, for every element /C G i7(m), there is 
a constant cr(/C,m) such that, for all runs r E TZ, ii{lZ{fC) \ TZ{}Ci{r,m))) = o{fC,m). Let 
= Tl,K.en{m) '^(^5 "^)' ^'^^ fix r G 7^. By synchrony, the set {1Z{1C) \ fC E VL{m)} partitions 
S, and 

/x(^|7^(/C,(r,m)))= ^ /^(7^(/C) | 7^(/C,(r, m))) = 

K:G!^{m) 

Because ^n/Ci(r, m) = /Ci(r, m){S), we have /iT-,m,j(^) = /^('S' | TZ{)Ci{r, m))), and it follows 
that (T, r, m) |— Prj(y9) — Om,^^ desired. 

For the converse, suppose that for every interpretation vr and time m, if ip is j-local in 
X = (7^, /i, tt), then there exists a constant 0"^ such that (X, r, m) |= Prj(<y9) = 0-^ for all runs 
r E TZ. Fix a time m. Suppose that r, r', r" G 7?. and that vr is an interpretation such that 
7r(r*,?2)(p) = true iff (r*,?2) G /Cj(r",m). The proposition p is j-local, so there exists a 
constant (7^ such that (X, r, m) |= Pri(p) = (Xm and (X, r', m) |= Pri(j9) = am- It follows that 

/^r,m,i(/Cj(r",m)) = dm = jJ^r' ,m,i{^j{r" , m)) , 

as desired. | 

Theorem I4.10t //■ (TZ, VTZ) is a standard probability system where agent j has perfect recall, 
then agent j maintains run-based probabilistic secrecy with respect to agent i iff, for every 
interpretation tt and every formula if that is j-local in X = [TZ, T^TZ, tt), there exists a constant 
a such that I \= Prj(0 f) = cr. 

Proof: Suppose that j maintains probabilistic secrecy with respect to agent i in (TZ, ji). Given 
an interpretation vr and a formula ip that is j-local in X = (TZ, jj,, tt), by Proposition 13 . 1 1 1 there 
exists a set of j-information sets such that (X, r, m) |= ip whenever (r, m) G U/cen Let 
^ = U/cen ^(^)- Note that (I, r,m) ^ iff r G TZ([j^^^ /C) = ^. By LemmalOl there 
exists a set Q! <ZVL such that {TZ(1C) : /C G fi} is a partition of ^. By probabilistic secrecy, for 
each /C G there exists a constant a/c such that 

fi(TZ(}C) \ TZ(lCi(r,m))) = 

for all points (r, m). Let a = Yl,K&n' Because {TZ(1C) \ K, E Vl'} is a partition of ^, for all 
points (r, m), 

^(^ I 7^(/Ci(r, m))) = /"(^(^) I ^))) = ^• 

Because iJ.r,m,i{K,i(r, m)(^)) = | TZ(lCi(r, m))), it follows thatX |= Prj(<) ip) = a. 

For the converse, suppose that for every interpretation vr and formula Lp that is j-local in 
X = (TZ, n, vr), there exists a constant cr such that X |= Prj(0 = a. Given points (r, m). 
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{r',m'), and {r",m"), let n be an interpretation such that TT{r*,n){p) = true iff (r*,n) G 
}Cj{r", m"). The proposition p is j-local, so X |= Prj(Op) = o". It follows that 

/i(7^(/C,(r^m'0) |7^(/C,(r,m))) =/i,,„,(/C,(r,m)(7^(/C,(r^m^ 

and the same holds if we replace (r, m) with (r', m'), so 

/i(7^(/C,(r^m'')) |7^(/C,(r,m))) =/i(7^(/C,(r'^m'')) |7^(/C,(r^m'))). 

This gives us probabilistic secrecy. | 

Theorem 14. 13t Let {IZ, V, A) be the adversarial probability system determined by INIT and 
suppose that IZ is either synchronous or a system where i has perfect recall. Agent i obtains 
no evidence for the initial choice in {TZ,V,A) iff agent maintains generalized run-based 
probabilistic fi- -secrecy with respect to i in (JZ, Alf^^^(A)). 

Proof: For the forward direction, we want to show that maintains generalized run-based 
probabilistic /^--secrecy with respect to i in {TZ, M(^^'^ (A)). Suppose that ^ E A^f^^^(A). 
The information function /j- maps an z -information set to the choices made by the agents 
other than i. Let an -choice set be a set of runs of the form Dj^iDy.. We must show that for 
arbitrary points (r, m) and (r', m') and z^-choice sets D^-, we have 

/i(A- |7^(/C,(r,m))) =/i(A- |7^(/C,(r',m'))). (3) 

Since, by assumption, i's choice is encoded i's local state, there exists a unique yi such that 
TZ{ICi{r,m)) C Dy-. Since i obtains no evidence for the initial choice, we have that for all 
2~-choice sets D^- and D^_, 

l^Dy^nD^^ (7^(/C^(r, m))) = f^Dy^nD'^_ (7^(/Ci(r, m))). (4) 

Thus, whenever fJ,{Dy- fl Di-) > and fi{Dy. fl > 0, we have 

fi{n{K:i{r,m))\Dy^n Di-) = fiDy^nD^-iTZ{}Ci{r,m))) 

= I^Dy.nD' (7^(/Ci (r,m))) 

= M^(/C,(r,m))|D,,^nD:-)- 

It now follows by Lemma lCTl that 7?.(/Cj(r, m)) is conditionally independent of every z^-choice 
set given Dy-. (Though Lemma |CT] actually shows only that 7^(/Cj (r,m)) is conditionally 
independent of every choice set Di- such that fx{Di- fl DyJ > 0, conditional independence 
is immediate if fi{Di- fl Dy.) = 0) Thus, for any i'-choice set D^-, we have 

/i(A- I 7^(/Ci(r, m))) = /i(A- I 7^(/Ci(r, m)) n = /i(A- I /^,J = MA-), 

where the last equality follows because we have assumed that i's choice is independent of the 
choices made by other agents. Similarly, /u(A- 1 1Z{ICi{r',m'))) = fi{Di-), so Q follows, 
and i does indeed maintain generalized run-based probabilistic -secrecy with respect to i. 
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For the converse, suppose that maintains generalized run-based probabilistic /j- -secrecy 
with respect to i. Thus, for all points (r, m), i^-choice sets Di-, and measures fi E 7Vlf^^^(A), 
we have ©. Given two i^-choice sets D^- and D'^_ and an i-information set /Cj(r, m) such 
that 7^(/Cj (r,m)) C Dy^, we want to show Q. To do so we first show that there exists a 
measure /i G Alf^^^(A) that places positive probability on all the cells. (We will make use of 
this particular measure for the duration of the proof.) Our strategy is to take a countable linear 
combination of the cell-specific probability measures, such that the set of runs in each cell is 
assigned positive probability by /i. Let yn, yi2, ... be a countable enumeration of INITi, and 
let Di, D2, ... be a countable enumeration of the possible i -choice sets. Define the function 
/X such that for U E T, 



i>l,A:>l 
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It is straightforward to check that fi E Ai^^^'^^A) and that it places a positive probability on all 
the cells in V. Furthermore, we have /iDy.nD^_ {T^i^iif, m))) = /x(7^(/Ci(r, m)) \ Dy^ fl Di~), 
and the same holds if we replace D^- with D'._ . 

Given an i-information set /Ci(r, m), let yi be the initial choice for i such that 7^(/Ci(r, m)) C 
Dy- . For all i~ choice sets Di- , we have 

l^Dy^nD,. {TZilCiir, m))) = /i(7^(/C^(r, m) | Dy^ n A-)- 

Thus, to prove Q, it suffices to show that 

/i(7^(/C,(r, m) I Dy^ n A-) = /i(7^(/C,(r, m) | Dy^ DD',.). 

Standard probabilistic manipulations show that 

fi{n{}Ci{r,m)) I Dy^ n A-) ■ KDy., I A-) = /i(7^(/Ci(r,m)) n Dy^ \ A-); (5) 

a similar equation holds if we replace Di- by D'._ . Since either TZ is synchronous or i has per- 
fect recall in TZ, there exists a set ^2 of z-information sets such that {Tl{JC) : JC E ^1} partitions 
TZ. By Lemma IC!T] and @, it follows that ^"-choice sets are independent of the z-information 
sets in f2. Applying @ again, it follows that 2~-choice sets are independent of all z-information 
sets. Thus, /i(7^(/C^(r,m)) f] Dy^ | A-) = At(7^(/C^(r, m)) | A-) = yu(7^(/C^(r, m))). Since 
Di- and Dy- are independent by assumption, it follows that iJ-{Dy- \ Di~) = fi(Dy.). Thus, ^ 
reduces to 

^(7^(/Ci(r,m)) I Dy^ n A-) • = yu(7^(/Ci(r, m))). 

The same is true for D'._, so because fJ,{DyJ > it follows that fi{TZ{ICi{r, m)) \ Dy. fl A-) = 
n{TZ{ICi{r, m)) \ Dy. fl D'._). Q is now immediate. | 
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D Generalizing from probability to plausibility 



In this section we give the details of the plausibilistic resuks presented in Section |5l All those 
results correspond to probabilistic results from the previous section; in many cases the proofs 
are almost identical. For brevity we focus here on the nontrivial subtleties that arise in the 
plausibilistic case. 

To show that Proposition 14.81 generalizes to run-based plausibility systems is straightfor- 
ward. We simply replace all occurrences of multiplication and addition in the proof of Propo- 
sition |4]8] with (g) and ©; all the resulting equations hold by the properties of cacps's. 

To define analogues of Theorems 14 . 91 and |4 . 1 01 we need a language that allows statements 
of the form Pli(v5) = c, where c is a constant that is interpreted as a plausibility value. Once we 
do this, the proofs of these results transfer to the plausibilistic setting with almost no change. 
We omit the straightforward details. 

To prove Propositions 14.61 and 14.71 we first prove two results that generalize Lemma ICTI 
To do so, we need the following definition, taken from [ Halpem 2003| . Define a cacps to 



be acceptable ii U G J"' and P1(V 1 1/) 7^ ± impUes that V nU ^ T' . To understand the 
intuition behind this definition, consider the special case where U = W. Since W E J-'' (this 
follows from the fact that JF' is a nonempty and is closed under supersets in JF), we get that if 
Pl(V^) 7^ ±, then V E T' . This is an analogue of the situation in probability, where we can 
always condition on a set of nonzero measure. 

Lemma D.l: Let (VF, JF, JF', P\) he an acceptable cacps. Suppose that Yi,Y2, . . . is a partition 
ofY E T' , and that Yi E for z = 1, 2, 3, . . .. For all X E T, the following are equivalent: 

(a) Pl{X I Yi) = Pl{X I Yj) for all Yi, Yj E P. 

(b) Pl{X I Yi) = Pl{X I Y)for all Y, E P. 

Proof: Clearly (b) implies (a). To see that (a) implies (b), first note that since we are dealing 
with an acceptable cacps, if Y, ^ J"', then Pl( | F) = ± and hence, for all X, V\{XrYj \ Y) = 
_L. Given Yi E T' , it follows that 

pi(x|r) = ©{,,y^e^,}Pi(xnF,|r) 

= ®{rY,^T'}{^\{X\Y,)®V\{Y,\Y)) 
= ®{r-Y,eM^KXm0niY,\Y)) 
= F\{X\Yi)^{®{r.Y,^^'}Pl{Y,\Y)) 
= PKX\Yi), 

as needed. | 

In the probabilistic setting, if either part (a) or (b) of Proposition IC. II holds, we are able 
to conclude that 1^ is conditionally independent of X given Y. By the symmetry of indepen- 
dence in the probabilistic setting, we can conclude that X is also conditionally independent of 
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Yi given Y, that is, that Pr(Fj | X fl F) = Pr(Fj \Y). In the plausibilistic setting, indepen- 
dence is not symmetric in general unless we make an additional assumption, namely that ® is 
symmetric. We say that a cacps is commutative if its ® operator is commutative. 

Lemma D.2: Suppose that (W, J-" , J-'' , PI) is a commutative acceptable cacps; Yi,Y2, ... is 
a partition ofYe P; X e J^', X <Z Y, and Pl{X \ Y) ^ ±; and for all Yi,Yj e T' , 
Pl{X I Yi) = Pl{X I Yj). Then, for all Yi G J^, Pl{Yi \ X) = Pl{Yi \ Y). 

Proof: First, suppose that Yi e T' . By Lemma lOTl we have that P1(X | Y^ = P1(X | Y). 
Since YiCiY = Yi and ® is commutative, we have 

P1(X nYi\Y)= P1(X I Yi) ® F\{Yi I Y) = P1(X | Y) (g) F\{Yi \ Y) = F\{Yi \ Y) ® P1(X | Y). 

Similarly, since X C F, we have 

P1(X nYi\Y)= F\{Yi I X) (g) P1(X I Y). 

Thus, F\{Yi I Y) (g) P1(X I Y) = F\{Yi \ X) ® P1(X | Y). Since P1(X | F) ^ ± by assumption, 
it follows from the definition of a cacps that Pl(Fi | Y) = Pl(Fj | X). 

If Yi ^ T' but Yi e T, then Fj n X ^ T' (since T' is closed under supersets in JF). 
Since we are working in an acceptable cacps, Pl(Fi | F) = ± and Pl(Fj | X) = ±, so again 
P1(F,|F) =P1(F,|X).| 

With these results, plausibilistic versions of Propositions 14.61 and 14.71 can be proved with 
only minor changes to the proof in the probabilistic case, provided we make the additional 
assumptions stated in the main text. We replace the use of Lemma ICTI bv Lemma IdH The 
appeal to the symmetry of conditional independence is replaced by an appeal to Lemma Id!21 
However, to use this lemma, we need to assume that ® is commutative and that for all points 
(r, m), 

• Plcp(/C,(r, m) I VT{n)) ^ ± and Plcp(/Cj(r, m) | Vr{n)) ^ ± (in the proof of total 
secrecy in the generalization of Proposition 14. 61) : 

• Plcp(/Ci(r,m) \VT{m)) ^ ± and Plcp(/Cj(r, m) \ VT{m)) ^ ± (in the the proof of 
synchronous secrecy in the generalization of Proposition l4.6l) : and 

• Pl(7^(A:^(r, m)) | 7^) 7^ ± and F\{n{lCj{r, m)) | 7^) 7^ ± (in the generalization of Propo- 
sition lOJ. 

(We do not have to assume that the relevant cacps's are acceptable for these propositions; it 
is enough that they are commutative. We used acceptability in the proof of Lemma ID. II to 
show argue that if a set Fj is not in JF', then Pl(Fj) = ±. Here, the sets Fj are of the form 
7?.(/Cj(r, m)), and our other assumptions guarantee that they are in JF'.) 

Turning to the generalization of Theorem 14.131 the first step is to define an adversarial 
plausibility system. The definition is completely analogous to that of that of an adversarial 
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probability system, except that now the set A consists of the acceptable conditional plausibility 
spaces {D, P1_d), for each cell D eV. Again, we assume that 7?.(/Cj(r, m))nD G J^d 

andthat,if7^(/Ci(r,m))^D ^ 0, then 7^(/Ci(r, m))nD G J^}, and Pb(7^(/Ci(r, m))nD) ^ ±. 
We say that an agent i obtains no plausibilistic evidence for the initial choice in (7^, "D, A) if for 
all D,D' eV and all points (r, m) such that n{ICi{r, m)) n D 7^ and 7^(/Ci(r, m)) nD' 7^ 0, 
we have 

Pb(7^(;C,(r,m)) n D) = Pb(7^(/C,(r,m)) n D'). 

Suppose that V is determined by INIT (as in the probabilistic case), and that the conditional 
plausibility spaces of A are all defined with respect to the same domain D of plausibility 
values and with the same operations © and ®, where ® is commutative. Let jFp be the a- 

algebra generated by Uoev^D- Let 7V1 • ' (A) consist of all the acceptable plausibility 
spaces {TZ, jF-p, JF', PI) such that 

• JF' is a nonempty subset of jFp that is closed under supersets; 

• if A e J^D and B e J^' n J^'^ , then P\{A \ B) = Pb(A | B); 

• for all agents i and points {r,m), there exists a cell D such that Pl(-D) 7^ J- and 
n{ICi{r,m))nD ^ 0;and 

• Pl(^(.i,...,j/„)) = Pi(^.J ® Pi(n,y.i^,,). 

We can now state and prove the plausibilistic analogue of Theorem l4.131 

Theorem D.3: Let {TZ, T>, A) be the adversarial plausibility system determined by INIT and 
suppose that IZ is either synchronous or a system where i has perfect recall. Agent i obtains 
no evidence for the initial choice in {TZ,T>,A) iff agent i" maintains generalized run-based 

plausibilistic fi- -secrecy with respect to i in [TZ, A^[^^^' (A)). 

Proof: The proof is basically the same as that of Theorem 14. 131 but some new subtleties arise 
because we are dealing with plausibility. For the forward direction, we want to show that 
maintains generalized run-based plausibilistic /j- -secrecy under the assumption that i obtains 
no evidence for the initial choice in (JZ, V, A). Much as in the proof of Theorem 14.131 we 
can show that Pl(7^(/Ci(r, m)) | Dy^ f] Di-) = Pl(7^(/C^(r, m)) | Dy^ n D'^_) if A- n Dy^ e 
JF' and fl Dy- E T' . Continuing in the spirit of that proof, we now want to show that 
P1(A- I TZ^ICii^r, m))nDy-) = P1(A- \DyJ = Pl(A-)- For the second equality, note that, by 
assumption, Pl( A- flDj^.) = Pl(A-)(8)Pl(Dj^.). Since the properties of acceptable conditional 
plausibility spaces guarantee that Pl(-Dj- | Dy.) F\(Dy.) = Pl(-Dj- fl DyJ, it follows that 
P1(A- \DyJ® Pl{Dy^) = Pl(A-) ® PKDyS Since Pl{byJ ^ ±, P1(A- I Dy,) = Pl(A-). 

To prove the first equality, we want to apply Lemma Id!21 To do so, we must first show 
that Pl(7?.(/Cj(r, m)) | Dy-) 7^ ±. To see that this holds, recall that by assumption there exists a 
cell D such that F\{D) ^ ±, Pli5(7^(/C^(r, m)) n D) ^ ±, and 7^(/Ci(r, m))nD eJ^'. Since 
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TZ{K.i{r, m)) n D 7^ 0, we must have that D C Dy^. Indeed, we must have D = Di- fl Dy^ for 
some i~ -choice set D^- . Thus, we have 

Pl(7^(/C,(r,m)) |Z}^J > Pl(7^(/C,(r, m)) n D | D^J 

= Pl(7^(/C,(r,m))|Z})®Pl(A- 
= Pb(7^(/Ci(r,m)) n D) ® Pl(A-) 

By assumption Pl£,(7^(/Ci(r, m)) n D) 7^ ±. Since Pl(L') 7^ ± and D C Di~, it follows that 
Pl(A-) ^ ^- Thus, Pl(7^(/Ci (r,m)) | ^ L. 

For the converse, we must construct an acceptable measure PI and a set JF' such that 
(7^, JS, PI) G -^^^'^^(A). We take J^' to consist of the sets U such that f/ n D G J^^^ for 
some cell D. For PI, we start by taking some arbitrary total ordering -< of the cells in V. Given 
V e J^andU e T', let Pl(l^ \U) = VX^iy ^ D \U ^ D) where D is the highest-ranked cell 
such that t/ n D G Td- By construction, PI behaves identically to the cell- specific measures 
when we condition on subsets of cells. It is easy to check that for all yi E INITi and i^-choice 
sets Di-, we have Pl{Dy^ fl D^-) = T, F\(Dy.) = T, and F\{Di-) = T. The independence of 
the choices made by i and follows immediately. 

To see that the measure satisfies the conditioning axiom (in the definition of a cacps), 
suppose that f/i, U2, f/3 G J" and U2 n U3 G J^'. We must show that Pl(f/i n U2 \ U3) = 
Pl(f/i|f/2n?73) 0Fl{U2\Us). There are two cases. If the highest-ranked cell that intersects 
f/3 (call it D) also intersects U2, then all three terms in the equality are determined by Pl/j, 
and the equality follows by applying the conditioning axiom to FId with Ui fl -D, f/2 fl D, and 
f/3 n If the highest-ranked cell D that intersects f/3 does not intersect f/2, then the first and 
third terms in the equality are both determined by FId and must be ± because f/2 fl -D = 0. 

Finally, the measure PI is acceptable (as required) because the underlying cell-specific mea- 
sures are acceptable. 

The remainder of the proof is a relatively straightforward extension of the probabilistic case. 
That i^-choice sets are independent of i-information sets follows from Lemma ID^ using the 
facts that agent i~ maintains generalized run-based plausibilistic /j- -secrecy, cells (and thus 
i^-choice sets) have non-± plausibility by construction, and all information sets are in JF'. | 



E Proofs for Section IS 

Proposition I6.5t A limit-closed synchronous trace system S satisfies separability (resp. gen- 
eralized noninterference) iffH maintains synchronous secrecy ( resp., synchronous fhi-secrecy) 
with respect to L inTZ(T?). 

Proof: We give the argument for separability here; the argument for generalized noninterfer- 
ence is similar and left to the reader. The forward direction follows from Proposition 16. 3[ For 
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the converse, suppose that H maintains synchronous secrecy with respect to L in 7^(S). Given 
r, r' G S, let t" be the trace such that t"\i = t\i and t"\h = t'\h- We must show that t" E S. 
Since H maintains synchronous secrecy with respect to L in 7^(E), for all m, there exists a run 
r"* G 7^(S) such that r'^(m) = r]^{m) and r^{m) = r'^^{m). Thus, for all m, there exists a 
trace r*" G S such that t'^\l = t|l and r^|_ff = t'I^. It follows that t'^ = r™ for all ni. Since 
r"^ G S for all m, it follows by limit closure that t" G S, as desired. | 

PropositionlOl //S Z5 an asynchronous trace system that satisfies asynchronous separability 
(resp. asynchronous generalized noninterference), then H maintains total secrecy (resp. total 
fhi-secrecy) with respect to L inlZiJl). 

Proof: Suppose that S satisfies asynchronous separability, and let (r, m) and (r', m') be arbi- 
trary points. By the construction of 7^(E), there exist traces t,t' E T such that rL{m) = t\l 
and rH{rn) = t'Ih- Let r" be an interleaving of t\l and t'Ih- Since S satisfies asynchronous 
separability, r" G S. Let T" be a run-like set of traces that contains r". (Such a set must exist 
because S is closed under trace prefixes.) By definition, G 7?.(S). Taking m to be the 
length of t", it follows that r'l(m") = rL{m) and r'^{m") = r^(m'). Thus, H maintains total 
secrecy with respect to L. 

The proof for asynchronous generalized noninterference (and total //jj-secrecy) is analo- 
gous, and left to the reader. | 

Proposition^ //S is an asynchronous trace system that is closed under interleavings, then 
S satisfies asynchronous separability ijfH maintains total secrecy with respect to L in 7^(S). 

Proof: We have already established the forward direction. For the converse, suppose that H 
maintains total secrecy with respect to L in 7?.(S), and that S is closed under interleavings. 
Given r, r' G S, there exist points (r, m) and (r',m') in VT{Tl{'E)) such that ri{m) = t\l 
and r'fj(m') = t'\h- Since H maintains total secrecy with respect to L in 7^(S), there exists 
a point (r",m") such that r'[{m") = ri{m) and r'lj{m") = r^(m'). By the construction of 
7^(E), there exists a run-like set T of traces such that r" = r^. Taking r" to be the traces 
of length m" in T, it follows that t"\l = r\L and r"\H = t'Ih- Because S is closed under 
interleavings, t" G S as required. | 
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